DebianDEBIAN:DLA-2742-1:07382[SECURITY] [DLA 2742-1] ffmpeg security update
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
69.2%
Debian LTS Advisory DLA-2742-1 [email protected]
https://www.debian.org/lts/security/ Anton Gladky
August 14, 2021 https://wiki.debian.org/LTS
Package : ffmpeg
Version : 7:3.2.15-0+deb9u3
CVE ID : CVE-2020-21041 CVE-2020-22015 CVE-2020-22016 CVE-2020-22020
CVE-2020-22021 CVE-2020-22022 CVE-2020-22023 CVE-2020-22025
CVE-2020-22026 CVE-2020-22028 CVE-2020-22031 CVE-2020-22032
CVE-2020-22036 CVE-2021-3566 CVE-2021-38114
Multiple issues have been discovered in ffmpeg.
CVE-2020-21041
Buffer Overflow vulnerability exists via apng_do_inverse_blend in
libavcodec/pngenc.c, which could let a remote malicious user cause a
Denial of Service.
CVE-2020-22015
Buffer Overflow vulnerability in mov_write_video_tag due to the out of
bounds in libavformat/movenc.c, which could let a remote malicious user
obtain sensitive information, cause a Denial of Service, or execute
arbitrary code.
CVE-2020-22016
A heap-based Buffer Overflow vulnerability at libavcodec/get_bits.h when
writing .mov files, which might lead to memory corruption and other
potential consequences.
CVE-2020-22020
Buffer Overflow vulnerability in the build_diff_map function in
libavfilter/vf_fieldmatch.c, which could let a remote malicious user cause
a Denial of Service.
CVE-2020-22021
Buffer Overflow vulnerability at filter_edges function in
libavfilter/vf_yadif.c, which could let a remote malicious user cause a
Denial of Service.
CVE-2020-22022
A heap-based Buffer Overflow vulnerability exists in filter_frame at
libavfilter/vf_fieldorder.c, which might lead to memory corruption and other
potential consequences.
CVE-2020-22023
A heap-based Buffer Overflow vulnerabililty exists in filter_frame at
libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and
other potential consequences.
CVE-2020-22025
A heap-based Buffer Overflow vulnerability exists in gaussian_blur at
libavfilter/vf_edgedetect.c, which might lead to memory corruption and other
potential consequences.
CVE-2020-22026
Buffer Overflow vulnerability exists in the config_input function at
libavfilter/af_tremolo.c, which could let a remote malicious user cause a
Denial of Service.
CVE-2020-22028
Buffer Overflow vulnerability in filter_vertically_8 at
libavfilter/vf_avgblur.c, which could cause a remote Denial of Service.
CVE-2020-22031
A Heap-based Buffer Overflow vulnerability in filter16_complex_low, which
might lead to memory corruption and other potential consequences.
CVE-2020-22032
A heap-based Buffer Overflow vulnerability in gaussian_blur, which might
lead to memory corruption and other potential consequences.
CVE-2020-22036
A heap-based Buffer Overflow vulnerability in filter_intra at
libavfilter/vf_bwdif.c, which might lead to memory corruption and other
potential consequences.
CVE-2021-3566
The tty demuxer did not have a 'read_probe' function assigned to it. By
crafting a legitimate "ffconcat" file that references an image, followed by
a file the triggers the tty demuxer, the contents of the second file will be
copied into the output file verbatim (as long as the `-vcodec copy` option
is passed to ffmpeg).
CVE-2021-38114
libavcodec/dnxhddec.c does not check the return value of the init_vlc
function. Crafted DNxHD data can cause unspecified impact.
For Debian 9 stretch, these problems have been fixed in version
7:3.2.15-0+deb9u3.
We recommend that you upgrade your ffmpeg packages.
For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 10 | mips64el | libpostproc55-dbgsym | <Â 7:4.1.8-0+deb10u1 | libpostproc55-dbgsym_7:4.1.8-0+deb10u1_mips64el.deb |
| Debian | 10 | armhf | libswresample3 | <Â 7:4.1.8-0+deb10u1 | libswresample3_7:4.1.8-0+deb10u1_armhf.deb |
| Debian | 10 | amd64 | libpostproc-dev | <Â 7:4.1.8-0+deb10u1 | libpostproc-dev_7:4.1.8-0+deb10u1_amd64.deb |
| Debian | 10 | armhf | ffmpeg | <Â 7:4.1.8-0+deb10u1 | ffmpeg_7:4.1.8-0+deb10u1_armhf.deb |
| Debian | 10 | arm64 | libavfilter-extra7 | <Â 7:4.1.8-0+deb10u1 | libavfilter-extra7_7:4.1.8-0+deb10u1_arm64.deb |
| Debian | 10 | armel | libavcodec-dev | <Â 7:4.1.8-0+deb10u1 | libavcodec-dev_7:4.1.8-0+deb10u1_armel.deb |
| Debian | 10 | ppc64el | libavresample4 | <Â 7:4.1.8-0+deb10u1 | libavresample4_7:4.1.8-0+deb10u1_ppc64el.deb |
| Debian | 10 | amd64 | libavformat58 | <Â 7:4.1.8-0+deb10u1 | libavformat58_7:4.1.8-0+deb10u1_amd64.deb |
| Debian | 10 | mipsel | libavcodec-extra58 | <Â 7:4.1.8-0+deb10u1 | libavcodec-extra58_7:4.1.8-0+deb10u1_mipsel.deb |
| Debian | 10 | ppc64el | ffmpeg | <Â 7:4.1.8-0+deb10u1 | ffmpeg_7:4.1.8-0+deb10u1_ppc64el.deb |
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
69.2%