Advisory ROSA-SA-2023-2277

software: ffmpeg 4.4.3
OS: ROSA-CHROME

package_evr_string: ffmpeg-4.4.3-2.src.rpm

CVE-ID: CVE-2022-3109
BDU-ID: 2023-04787
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the vp3_decode_frame function of the libavcodec/vp3.c component of the FFmpeg multimedia library is related to a lack of validation of the return value of av_malloc(). Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update ffmpeg

CVE-ID: CVE-2022-3341
BDU-ID: 2023-03348
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the decode_main_header() function (libavformat/nutdec.c) of the FFmpeg multimedia library is related to null pointer dereferencing. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update ffmpeg

CVE-ID: CVE-2022-3964
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: A vulnerability classified as problematic has been discovered in ffmpeg. It affects an unknown part of the libavcodec/rpzaenc.c file of the QuickTime RPZA Video Encoder component. Manipulation of the y_size argument results in reads outside the valid range. The attack can be initiated remotely.
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update ffmpeg

CVE-ID: CVE-2022-48434
BDU-ID: 2023-02925
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the libavcodec/pthread_frame.c component of the FFmpeg multimedia library is related to memory usage after it is freed when processing worker threads by the hwaccel decoder. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update ffmpeg