Headline
Ubuntu Security Notice USN-5472-1
Ubuntu Security Notice 5472-1 - It was discovered that FFmpeg would attempt to divide by zero when using Linear Predictive Coding or AAC codecs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. It was discovered that FFmpeg incorrectly handled certain input. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10.
=========================================================================Ubuntu Security Notice USN-5472-1June 08, 2022ffmpeg vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 21.10- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in FFmpeg.Software Description:- ffmpeg: Tools for transcoding, streaming and playing of multimedia filesDetails:It was discovered that FFmpeg would attempt to divide by zero when using LinearPredictive Coding (LPC) or AAC codecs. An attacker could possibly use thisissue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS,Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2020-20445, CVE-2020-20446,CVE-2020-20453)It was discovered that FFmpeg incorrectly handled certain input. An attackercould possibly use this issue to cause a denial of service. This issue onlyaffected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2020-20450)It was discovered that FFmpeg incorrectly handled file conversion to APNGformat. An attacker could possibly use this issue to cause a denial ofservice. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.(CVE-2020-21041)It was discovered that FFmpeg incorrectly handled remuxing RTP-hint tracks.A remote attacker could possibly use this issue to execute arbitrary code.This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.(CVE-2020-21688)It was discovered that FFmpeg incorrectly handled certain specially craftedAVI files. An attacker could possibly use this issue to cause a denial ofservice. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS andUbuntu 21.10. (CVE-2020-21697)It was discovered that FFmpeg incorrectly handled writing MOV video tags. Anattacker could possibly use this issue to cause a denial of service, obtainsensitive information or execute arbitrary code. This issue only affectedUbuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2020-22015)It was discovered that FFmpeg incorrectly handled writing MOV files. Anattacker could possibly use this issue to cause a denial of service or otherunspecified impact. This issue affected only Ubuntu 18.04 LTS. (CVE-2020-22016)It was discovered that FFmpeg incorrectly handled memory when using certainfilters. An attacker could possibly use this issue to cause a denial of serviceor other unspecified impact. This issue only affected Ubuntu 18.04 LTS andUbuntu 20.04 LTS. (CVE-2020-22017, CVE-2020-22020, CVE-2020-22022,CVE-2020-22023, CVE-2022-22025, CVE-2020-22026, CVE-2020-22028, CVE-2020-22031,CVE-2020-22032, CVE-2020-22034, CVE-2020-22036, CVE-2020-22042)It was discovered that FFmpeg incorrectly handled memory when using certainfilters. An attacker could possibly use this issue to cause a denial of serviceor other unspecified impact. This issue only affected Ubuntu 18.04 LTS,Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2020-22019, CVE-2020-22021,CVE-2020-22033)It was discovered that FFmpeg incorrectly handled memory when using certainfilters. An attacker could possibly use this issue to cause a denial of serviceor other unspecified impact. This issue only affected Ubuntu 21.10.(CVE-2020-22027, CVE-2020-22029, CVE-2020-22030, CVE-2020-22035)It was discovered that FFmpeg incorrectly handled certain specially craftedJPEG files. An attacker could possibly use this issue to obtain sensitiveinformation. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS andUbuntu 21.10. (CVE-2020-22037)It was discovered that FFmpeg incorrectly performed calculations in EXR codec.An attacker could possibly use this issue to cause a denial of service. Thisissue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-35965)It was discovered that FFmpeg did not verify return values of functionsinit_vlc and init_get_bits. An attacker could possibly use this issue to causea denial of service or other unspecified impact. This issue only affectedUbuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2021-38114,CVE-2021-38171)It was discovered that FFmpeg incorrectly handled certain specially craftedfiles. An attacker could possibly use this issue to cause a denial of service.This issue only affected Ubuntu 21.10 and Ubuntu 22.04 LTS. (CVE-2022-1475)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS: ffmpeg 7:4.4.2-0ubuntu0.22.04.1 libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1 libavcodec58 7:4.4.2-0ubuntu0.22.04.1 libavdevice58 7:4.4.2-0ubuntu0.22.04.1 libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1 libavfilter7 7:4.4.2-0ubuntu0.22.04.1 libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1 libavformat58 7:4.4.2-0ubuntu0.22.04.1 libavutil56 7:4.4.2-0ubuntu0.22.04.1 libpostproc55 7:4.4.2-0ubuntu0.22.04.1 libswresample3 7:4.4.2-0ubuntu0.22.04.1 libswscale5 7:4.4.2-0ubuntu0.22.04.1Ubuntu 21.10: ffmpeg 7:4.4.2-0ubuntu0.21.10.1 libavcodec-extra58 7:4.4.2-0ubuntu0.21.10.1 libavcodec58 7:4.4.2-0ubuntu0.21.10.1 libavdevice58 7:4.4.2-0ubuntu0.21.10.1 libavfilter-extra7 7:4.4.2-0ubuntu0.21.10.1 libavfilter7 7:4.4.2-0ubuntu0.21.10.1 libavformat-extra58 7:4.4.2-0ubuntu0.21.10.1 libavformat58 7:4.4.2-0ubuntu0.21.10.1 libavutil56 7:4.4.2-0ubuntu0.21.10.1 libpostproc55 7:4.4.2-0ubuntu0.21.10.1 libswresample3 7:4.4.2-0ubuntu0.21.10.1 libswscale5 7:4.4.2-0ubuntu0.21.10.1Ubuntu 20.04 LTS: ffmpeg 7:4.2.7-0ubuntu0.1 libavcodec-extra58 7:4.2.7-0ubuntu0.1 libavcodec58 7:4.2.7-0ubuntu0.1 libavdevice58 7:4.2.7-0ubuntu0.1 libavfilter-extra7 7:4.2.7-0ubuntu0.1 libavfilter7 7:4.2.7-0ubuntu0.1 libavformat58 7:4.2.7-0ubuntu0.1 libavresample4 7:4.2.7-0ubuntu0.1 libavutil56 7:4.2.7-0ubuntu0.1 libpostproc55 7:4.2.7-0ubuntu0.1 libswresample3 7:4.2.7-0ubuntu0.1 libswscale5 7:4.2.7-0ubuntu0.1Ubuntu 18.04 LTS: ffmpeg 7:3.4.11-0ubuntu0.1 libavcodec-extra57 7:3.4.11-0ubuntu0.1 libavcodec57 7:3.4.11-0ubuntu0.1 libavdevice57 7:3.4.11-0ubuntu0.1 libavfilter-extra6 7:3.4.11-0ubuntu0.1 libavfilter6 7:3.4.11-0ubuntu0.1 libavformat57 7:3.4.11-0ubuntu0.1 libavresample3 7:3.4.11-0ubuntu0.1 libavutil55 7:3.4.11-0ubuntu0.1 libpostproc54 7:3.4.11-0ubuntu0.1 libswresample2 7:3.4.11-0ubuntu0.1 libswscale4 7:3.4.11-0ubuntu0.1This update uses a new upstream release, which includes additional bugfixes. In general, a standard system update will make all the necessarychanges.References: https://ubuntu.com/security/notices/USN-5472-1 CVE-2020-20445, CVE-2020-20446, CVE-2020-20450, CVE-2020-20453, CVE-2020-21041, CVE-2020-21688, CVE-2020-21697, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22042, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291, CVE-2022-1475Package Information: https://launchpad.net/ubuntu/+source/ffmpeg/7:4.4.2-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/ffmpeg/7:4.4.2-0ubuntu0.21.10.1 https://launchpad.net/ubuntu/+source/ffmpeg/7:4.2.7-0ubuntu0.1 https://launchpad.net/ubuntu/+source/ffmpeg/7:3.4.11-0ubuntu0.1Related news
Gentoo Linux Security Advisory 202312-14 - Multiple vulnerabilities have been discovered in FFmpeg, the worst of which could lead to code execution. Versions greater than or equal to 6.0 are affected.
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Windows Internet Information Services Cachuri Module Denial of Service Vulnerability.
Implemented protections on AWS credentials that were not properly protected.
An integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.
File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device.
FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c.
A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at ff_fill_rectangle in libavfilter/drawutils.c, which might lead to memory corruption and other potential consequences.
A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavfilter/vf_edgedetect.c in gaussian_blur, which might lead to memory corruption and other potential consequences.
A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences.