Headline
Ubuntu Security Notice USN-6449-2
Ubuntu Security Notice 6449-2 - USN-6449-1 fixed vulnerabilities in FFmpeg. Unfortunately that update could introduce a regression in tools using an FFmpeg library, like VLC. This updated fixes the problem. It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
==========================================================================
Ubuntu Security Notice USN-6449-2
November 15, 2023
ffmpeg regression
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
USN-6449-1 introduced a regression in FFmpeg
Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files
Details:
USN-6449-1 fixed vulnerabilities in FFmpeg. Unfortunately that update
could introduce a regression in tools using an FFmpeg library, like VLC.
This updated fixes the problem. We apologize for the inconvenience.
Original advisory details:
It was discovered that FFmpeg incorrectly managed memory resulting
in a memory leak. An attacker could possibly use this issue to cause
a denial of service via application crash. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22038)
It was discovered that FFmpeg incorrectly handled certain input files,
leading to an integer overflow. An attacker could possibly use this issue
to cause a denial of service via application crash. This issue only
affected Ubuntu 20.04 LTS. (CVE-2020-20898, CVE-2021-38090,
CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094)
It was discovered that FFmpeg incorrectly managed memory, resulting in
a memory leak. If a user or automated system were tricked into
processing a specially crafted input file, a remote attacker could
possibly use this issue to cause a denial of service, or execute
arbitrary code. (CVE-2022-48434)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm3
libavcodec-extra 7:4.4.2-0ubuntu0.22.04.1+esm3
libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm3
libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm3
libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm3
libavfilter-extra 7:4.4.2-0ubuntu0.22.04.1+esm3
libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm3
libavfilter7 7:4.4.2-0ubuntu0.22.04.1+esm3
libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm3
libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm3
libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm3
libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm3
libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm3
libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm3
libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm3
Ubuntu 20.04 LTS (Available with Ubuntu Pro):
ffmpeg 7:4.2.7-0ubuntu0.1+esm4
libavcodec-extra 7:4.2.7-0ubuntu0.1+esm4
libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm4
libavcodec58 7:4.2.7-0ubuntu0.1+esm4
libavdevice58 7:4.2.7-0ubuntu0.1+esm4
libavfilter-extra 7:4.2.7-0ubuntu0.1+esm4
libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm4
libavfilter7 7:4.2.7-0ubuntu0.1+esm4
libavformat58 7:4.2.7-0ubuntu0.1+esm4
libavresample4 7:4.2.7-0ubuntu0.1+esm4
libavutil-dev 7:4.2.7-0ubuntu0.1+esm4
libavutil56 7:4.2.7-0ubuntu0.1+esm4
libpostproc55 7:4.2.7-0ubuntu0.1+esm4
libswresample3 7:4.2.7-0ubuntu0.1+esm4
libswscale5 7:4.2.7-0ubuntu0.1+esm4
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
ffmpeg 7:3.4.11-0ubuntu0.1+esm4
libavcodec-extra 7:3.4.11-0ubuntu0.1+esm4
libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm4
libavcodec57 7:3.4.11-0ubuntu0.1+esm4
libavdevice-dev 7:3.4.11-0ubuntu0.1+esm4
libavdevice57 7:3.4.11-0ubuntu0.1+esm4
libavfilter-dev 7:3.4.11-0ubuntu0.1+esm4
libavfilter-extra 7:3.4.11-0ubuntu0.1+esm4
libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm4
libavfilter6 7:3.4.11-0ubuntu0.1+esm4
libavformat57 7:3.4.11-0ubuntu0.1+esm4
libavresample3 7:3.4.11-0ubuntu0.1+esm4
libavutil-dev 7:3.4.11-0ubuntu0.1+esm4
libavutil55 7:3.4.11-0ubuntu0.1+esm4
libpostproc54 7:3.4.11-0ubuntu0.1+esm4
libswresample2 7:3.4.11-0ubuntu0.1+esm4
libswscale4 7:3.4.11-0ubuntu0.1+esm4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6449-2
https://ubuntu.com/security/notices/USN-6449-1
https://launchpad.net/bugs/2042743
Related news
Debian Linux Security Advisory 5721-1 - Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.
Gentoo Linux Security Advisory 202312-14 - Multiple vulnerabilities have been discovered in FFmpeg, the worst of which could lead to code execution. Versions greater than or equal to 6.0 are affected.
Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).