Headline
Ubuntu Security Notice USN-6449-1
Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
==========================================================================Ubuntu Security Notice USN-6449-1October 24, 2023ffmpeg vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS (Available with Ubuntu Pro)- Ubuntu 20.04 LTS (Available with Ubuntu Pro)- Ubuntu 18.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in FFmpeg.Software Description:- ffmpeg: Tools for transcoding, streaming and playing of multimedia filesDetails:It was discovered that FFmpeg incorrectly managed memory resultingin a memory leak. An attacker could possibly use this issue to causea denial of service via application crash. This issue onlyaffected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22038)It was discovered that FFmpeg incorrectly handled certain input files,leading to an integer overflow. An attacker could possibly use this issueto cause a denial of service via application crash. This issue onlyaffected Ubuntu 20.04 LTS. (CVE-2020-20898, CVE-2021-38090,CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094)It was discovered that FFmpeg incorrectly managed memory, resulting ina memory leak. If a user or automated system were tricked intoprocessing a specially crafted input file, a remote attacker couldpossibly use this issue to cause a denial of service, or executearbitrary code. (CVE-2022-48434)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS (Available with Ubuntu Pro): ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm2 libavcodec-extra 7:4.4.2-0ubuntu0.22.04.1+esm2 libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm2 libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm2 libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm2 libavfilter-extra 7:4.4.2-0ubuntu0.22.04.1+esm2 libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm2 libavfilter7 7:4.4.2-0ubuntu0.22.04.1+esm2 libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm2 libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm2 libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm2 libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm2 libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm2 libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm2 libswscale-dev 7:4.4.2-0ubuntu0.22.04.1+esm2 libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm2Ubuntu 20.04 LTS (Available with Ubuntu Pro): ffmpeg 7:4.2.7-0ubuntu0.1+esm3 libavcodec-extra 7:4.2.7-0ubuntu0.1+esm3 libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm3 libavcodec58 7:4.2.7-0ubuntu0.1+esm3 libavdevice58 7:4.2.7-0ubuntu0.1+esm3 libavfilter-extra 7:4.2.7-0ubuntu0.1+esm3 libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm3 libavfilter7 7:4.2.7-0ubuntu0.1+esm3 libavformat58 7:4.2.7-0ubuntu0.1+esm3 libavresample4 7:4.2.7-0ubuntu0.1+esm3 libavutil56 7:4.2.7-0ubuntu0.1+esm3 libpostproc55 7:4.2.7-0ubuntu0.1+esm3 libswresample3 7:4.2.7-0ubuntu0.1+esm3 libswscale5 7:4.2.7-0ubuntu0.1+esm3Ubuntu 18.04 LTS (Available with Ubuntu Pro): ffmpeg 7:3.4.11-0ubuntu0.1+esm3 libavcodec-extra 7:3.4.11-0ubuntu0.1+esm3 libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm3 libavcodec57 7:3.4.11-0ubuntu0.1+esm3 libavdevice57 7:3.4.11-0ubuntu0.1+esm3 libavfilter-extra 7:3.4.11-0ubuntu0.1+esm3 libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm3 libavfilter6 7:3.4.11-0ubuntu0.1+esm3 libavformat57 7:3.4.11-0ubuntu0.1+esm3 libavresample3 7:3.4.11-0ubuntu0.1+esm3 libavutil55 7:3.4.11-0ubuntu0.1+esm3 libpostproc54 7:3.4.11-0ubuntu0.1+esm3 libswresample2 7:3.4.11-0ubuntu0.1+esm3 libswscale4 7:3.4.11-0ubuntu0.1+esm3In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-6449-1 CVE-2020-20898, CVE-2020-22038, CVE-2021-38090, CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094, CVE-2022-48434Related news
Debian Linux Security Advisory 5721-1 - Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.
Gentoo Linux Security Advisory 202312-14 - Multiple vulnerabilities have been discovered in FFmpeg, the worst of which could lead to code execution. Versions greater than or equal to 6.0 are affected.
Ubuntu Security Notice 6449-2 - USN-6449-1 fixed vulnerabilities in FFmpeg. Unfortunately that update could introduce a regression in tools using an FFmpeg library, like VLC. This updated fixes the problem. It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).