[USN-5958-1] FFmpeg vulnerabilities

Mark Esler mark.esler at canonical.com
Thu Mar 16 02:23:38 UTC 2023 

==========================================================================
Ubuntu Security Notice USN-5958-1
March 16, 2023

ffmpeg vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in FFmpeg.

Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files

Details:

It was discovered that FFmpeg could be made to dereference a null
pointer. An attacker could possibly use this to cause a denial of
service via application crash. These issues only affected Ubuntu
16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. (CVE-2022-3109, CVE-2022-3341)

It was discovered that FFmpeg could be made to access an out-of-bounds
frame by the Apple RPZA encoder. An attacker could possibly use this
to cause a denial of service via application crash or access sensitive
information. This issue only affected Ubuntu 20.04 LTS and Ubuntu
22.10. (CVE-2022-3964)

It was discovered that FFmpeg could be made to access an out-of-bounds
frame by the QuickTime encoder. An attacker could possibly use this to
cause a denial of service via application crash or access sensitive
information. This issue only affected Ubuntu 22.10. (CVE-2022-3965)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
ffmpeg 7:5.1.1-1ubuntu2.1
libavcodec-extra 7:5.1.1-1ubuntu2.1
libavcodec-extra59 7:5.1.1-1ubuntu2.1
libavcodec59 7:5.1.1-1ubuntu2.1
libavdevice59 7:5.1.1-1ubuntu2.1
libavfilter-extra 7:5.1.1-1ubuntu2.1
libavfilter-extra8 7:5.1.1-1ubuntu2.1
libavfilter8 7:5.1.1-1ubuntu2.1
libavformat-extra 7:5.1.1-1ubuntu2.1
libavformat-extra59 7:5.1.1-1ubuntu2.1
libavformat59 7:5.1.1-1ubuntu2.1
libavutil57 7:5.1.1-1ubuntu2.1
libpostproc56 7:5.1.1-1ubuntu2.1
libswresample4 7:5.1.1-1ubuntu2.1
libswscale6 7:5.1.1-1ubuntu2.1

Ubuntu 22.04 LTS:
ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm1
libavcodec-extra 7:4.4.2-0ubuntu0.22.04.1+esm1
libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavfilter-extra 7:4.4.2-0ubuntu0.22.04.1+esm1
libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm1
libavfilter7 7:4.4.2-0ubuntu0.22.04.1+esm1
libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm1
libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm1
libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm1
libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm1
libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm1

Ubuntu 20.04 LTS:
ffmpeg 7:4.2.7-0ubuntu0.1+esm1
libavcodec-extra 7:4.2.7-0ubuntu0.1+esm1
libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm1
libavcodec58 7:4.2.7-0ubuntu0.1+esm1
libavdevice58 7:4.2.7-0ubuntu0.1+esm1
libavfilter-extra 7:4.2.7-0ubuntu0.1+esm1
libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm1
libavfilter7 7:4.2.7-0ubuntu0.1+esm1
libavformat58 7:4.2.7-0ubuntu0.1+esm1
libavresample4 7:4.2.7-0ubuntu0.1+esm1
libavutil56 7:4.2.7-0ubuntu0.1+esm1
libpostproc55 7:4.2.7-0ubuntu0.1+esm1
libswresample3 7:4.2.7-0ubuntu0.1+esm1
libswscale5 7:4.2.7-0ubuntu0.1+esm1

Ubuntu 18.04 LTS:
ffmpeg 7:3.4.11-0ubuntu0.1+esm1
libavcodec-extra 7:3.4.11-0ubuntu0.1+esm1
libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm1
libavcodec57 7:3.4.11-0ubuntu0.1+esm1
libavdevice57 7:3.4.11-0ubuntu0.1+esm1
libavfilter-extra 7:3.4.11-0ubuntu0.1+esm1
libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm1
libavfilter6 7:3.4.11-0ubuntu0.1+esm1
libavformat57 7:3.4.11-0ubuntu0.1+esm1
libavresample3 7:3.4.11-0ubuntu0.1+esm1
libavutil55 7:3.4.11-0ubuntu0.1+esm1
libpostproc54 7:3.4.11-0ubuntu0.1+esm1
libswresample2 7:3.4.11-0ubuntu0.1+esm1
libswscale4 7:3.4.11-0ubuntu0.1+esm1

Ubuntu 16.04 ESM:
ffmpeg 7:2.8.17-0ubuntu0.1+esm5
libav-tools 7:2.8.17-0ubuntu0.1+esm5
libavcodec-extra 7:2.8.17-0ubuntu0.1+esm5
libavcodec-ffmpeg-extra56 7:2.8.17-0ubuntu0.1+esm5
libavcodec-ffmpeg56 7:2.8.17-0ubuntu0.1+esm5
libavdevice-ffmpeg56 7:2.8.17-0ubuntu0.1+esm5
libavfilter-ffmpeg5 7:2.8.17-0ubuntu0.1+esm5
libavformat-ffmpeg56 7:2.8.17-0ubuntu0.1+esm5
libavresample-ffmpeg2 7:2.8.17-0ubuntu0.1+esm5
libavutil-ffmpeg54 7:2.8.17-0ubuntu0.1+esm5
libpostproc-ffmpeg53 7:2.8.17-0ubuntu0.1+esm5
libswresample-ffmpeg1 7:2.8.17-0ubuntu0.1+esm5
libswscale-ffmpeg3 7:2.8.17-0ubuntu0.1+esm5

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5958-1
CVE-2022-3109, CVE-2022-3341, CVE-2022-3964, CVE-2022-3965,
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/2007269

Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/7:5.1.1-1ubuntu2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xD60B83C90513BD4F.asc
Type: application/pgp-keys
Size: 4646 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20230315/2790b54f/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20230315/2790b54f/attachment.sig>

More information about the ubuntu-security-announce mailing list