Unix News Tutorials Events and Stuff: [USN-5958-1] FFmpeg vulnerabilities

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGJo5iQBEADBDrePgICrxsoCWxlAiEKAgZgqeX1XhHxhDCkprNwOA9ZEU7G9
77BEHgYLSrAh3LraWYK+piBXBuHdg8KCUppUmEC4GtiHg+KxtxRjgZn/tjLD6vgZ
kwZYs0KXQVCK2bhSL0paEA78Xcx1B6xa8JArnjk87VoNl6RCjJESXkwlqGtQTEOp
bNxBy5Pd0T33xYeKcOz0GWY5ndkU1gD7NtMZdWZ8vcQclLquQO5OE33OhK78cU4Z
k4xFL5I5R4rBhlrOsw002bbD0+QI6wUKQByHfvcAz59eHS/wJOrAY/1p+IKql/4f
sRQQSRPSc+3CqELdxzF2s+AG0PciQms3RVYT6czH28Ce9C9BDAENga28FvQDf5Zi
STUeXZm0XJ9g+dLg+6FBPHp9wX+ybfAmIRXQlV4D6DledQAWjoBy3j09JOGQGSH0
S3EbQ68Qn2xyGBlYeFCZbMlKDN8NrpVCx9Jf6dDb3Qv2Do1yIIRu5x0vwKlNsQG0
NffMryLCQ0tVBNNiwqrHIbmZEhSUEmKf6u+zZsx1JMewe6fRw3hf3VOzENH5tGpZ
Z1Yg8m3E2yiXmPJ9cX3iZD0l7/L8CEiuMWt/q/NEDnKsGovi9N1r04Yxxo5lWoHr
+4taaOnC2C7YEHICIWx3lEU0lm24PbNG4QBJCJ8ctwG2rV3AMILCVSzW0QARAQAB
zSVNYXJrIEVzbGVyIDxtYXJrLmVzbGVyQGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+
FiEELTsQ/oZuJMqL99Qt1guDyQUTvU8FAmJo5iQCGwMFCQPCZwAFCwkIBwIGFQoJ
CAsCBBYCAwECHgECF4AACgkQ1guDyQUTvU/Gqw/9F5ko+KS9CRXXcp4SkdhHB6aG
tD9rEJycEywPymmI+OwCJppmbQBzzwW7QGLHi8TTiWnWMSeikhSh0p9pPCc9rhLt
tYDlGZwoxXPt7PwS0k9JjITNviTNZD6uHIoYmFMxS65qdh7s7OSQj4+nTij1b+dV
qzaG4krGB/pav2D2adt4k02KfqIkPiLY0Jo+o8hKOx2HRh8xqEU/eySRtVvIx55c
D4Qh63KQv465Afz+QuKsbxuqA2iboUP/srYtMQtFi8TCF7/5gLwDbGDgOAYhIxyf
vgAH5dbBFB8lIMPjIeTbP0lE+xMHUmQsKhtYICnjhnGRJeT6vBlDFuUar5DYA3fI
m9LEAf1T1eMK4FBUSCv+cULlT9+rsHDbG6tiZU/BDp/mkKFs2Ax9W68+fgXy7bor
ixrgDhfSCsYWaxLsXW/GEmyCbp30PZlLr6kvfQq7CMEjeE79FEsef7/ppRH/t+mv
6p2xhb+DDbvqzcQZ7LQn3+PLxkR37spQRvevPxpx000CqTO5gV19w/2ZSPydm2Zd
44XSranzwDdD4o5ZsMXAPuCNlVAVzxAhxNj2QQL7xh9bdDDmM9Z7qBPwFX42n7mw
ryjBHqMtrSCSI8hupSh2B/bQSRyWd3/KQ2vlJMoq7H5EJiJYpb3blvb4tfoSfEag
PqYV1jJEcKImOGs988rOwU0EYmjmJAEQAL0wGwC8P1qj0fuLaFpPKBAFtxBqnJJc
c+63DjQ17/QJrYpKwGGkW6fz/Nn0nUDf88FdrHd7t6a9c3m82/gvsr8VjAD4SISp
DjPIpfCj5gWGAuhATWB0pwjWRsgFkIThaa0px6ZJFGdU9lJmi633Xsk4s9bws8kZ
pnwtk+StRueqcSElfLw1/gbu6EhcEH62iBb2qlRhgtntgy1dcnqDEQhcdccWSgna
+ZlDIo3Z75RWoIXxrtzUe9PDdG4Ou+k/H96mS7pZdmU6elbQlcDGYegYGH6OTYjv
Zyl81ACN9Y3Fcmc+luBMeuyQndHFnG6rjOwHr6iM9ZKRBq03QiAAp4vooPyLqG9n
ZmoeLH0Q7L2pVIwroVtsJvnjws5z3DujguZcLYCeA/WEXj8p0lYy9WVGrfJ7LyLp
+Uj7AdXFB6msED51Swb6QkpWrcC7V2COKZmfYGXFy7PdIwWeqgYjJ0zqEldHGDTD
V0yTuuER2bJ/T1WBVy9U46/KRUXYevgCZFGPbyO/vKLwKVbrbkimULMFcPJpKinF
PQs0ch7HA6PPog0wbux5Bm9O78lzYo/WFlvofFKTzfGEsnifCVXkcsu0Qp8m6DQZ
yeFO8SH3DHaHFaPKc3JYEFTdmP0PdvH8aqb5TVTb8G+hvxktDkCuCrlaoFVSCNhI
WfJ6rAxxYGuNABEBAAHCwXwEGAEKACYWIQQtOxD+hm4kyov31C3WC4PJBRO9TwUC
YmjmJAIbDAUJA8JnAAAKCRDWC4PJBRO9T3SnEACEprj9LsxvhbM6A/aLk3la8UD9
MYtLSmbl+KPGEvP0r7viPftolgV8O+tRG09Z7Wd/63WsHjA2Psgwdm49BziL8tCf
ONfVXCojPxR/uyL5ykPHSE/yC+mz3DTPWcncGCdteil6Cw43MHNCm2oYJ38VXAwV
9pikHeO5Pj5xukmc/bQr3v3NrDQI+AQpNbWs2r4vw+y01IidmMh12RkuGi2UYOga
jvfDeoSSEF7VJ6Qlij9UjatkbZpSHjn2rf+B9DdlkRNr5Vfd9/xaSFQoazdgNS/Q
HqOeZ+9HqNrUlHTH9BUaTkmV6MDXtEjVGfROXxXPw/q29QUzZUZE3agqmuxB3yar
PjW24mNu5Kd22rb06blTfBO0o7DOX9UwOVLfFLejfWAYANuXilcju9/3dHRsv6o9
9tGfRxJIMOPVY6JgswYISB7CwdA+Uda6UvU+qwYCRi7B8L13H3uhDKzA5sgRZnz2
oQw+bOB/ErZv78NVnhrdy9LAkLk0U8RVvH8sWPco4ZjQVou6wDMEsKaIlioU8x6n
YOi8LBpijWpaKEpCbU4nRdV/4d3eWr7tu1MWGcm70C6mrjypxI6TVCPg+gimjM4D
7LOpJKZJVGQg9JYPUhccp27Nn/3L2/Y9F3tKUfCTPHanOzHg4KNRRUr8CQD8qi+8
nWqztY9OeZjz0vagYM7BTQRiaOZoARAA6bzogRYAMYdwU2BsWFurvrghzEbqjguN
XwBiQ/90kXb3exYZvGXTCxdrV5FRjPU6eeX2TAyZRt6XnK6nyrZFlRAcXeWCeo05
d+mdK6fv4iOc/T0JeMZCrNm4BDjcGNOr7KImVQTNuoN9nVieVQSK/hRpSFPkNLbn
1oemHqZitxoI5HCBAVQrKR8d0REzn9Y1jdCHkhgSNaEcAww6CgF2Mlsw5txhmIh9
IZircfAzGU6lI1MgjPkDOFPDdwIoc8xtuAJB/G6gT8Ot9FQ3EMaV2zPTL7Jd1ZQR
hOrs75gjLlhOyYYb5Y3isaMKzUMYKQDFWrCws/sGEm2TwbD5gI6ipa2r71DcGijj
GJQITAQsS+rdUKBts+DPKfZR4nlLq41/utA4LJL2y33SFXeqylyIoKPs1FJ0JZyM
VXiWQyxAuPjYJPZbcSh8exj6rct/QVZgztSuvKxeaEqZ/xwkQ/uHWZxQy7lZxBbw
LCVH8HxVApD/tc3/U/jQjtQSblX3KnMia5rHjX+p9tYSSeLNPA99KNrqwLdDh9Mz
/Rm131NUHwlOEIpSeqDfs1+jQYy0QdZnxDHrIVnpIz6M8IVFRBo4LQmi0sPkzzEZ
A29s3+IzofztGXf+b+vZAmnOrQEgNPjdIVHfvQJVqcm1JdOzyuHEvN8IiV/90RAP
r2NqNrtRjQMAEQEAAcLBfAQYAQoAJhYhBC07EP6GbiTKi/fULdYLg8kFE71PBQJi
aOZoAhsgBQkDwmcAAAoJENYLg8kFE71PE2wQAK2ntrQ0902+a3KC/Ak7VhOTV0c0
my8e7mqesYRGXB158P7UJZS1grU6MjBbMsArFdshTRquSmEOnAB6ahnD+JNq+Jzf
9QKknvekzkjlC11FxTHMGncKnScsu8Vont+rFBA66JYLrh7my5CpzijTVTYC9HcA
SbnW0IzzJl90cVh5tC9S+m6Dh3kNcujWyJ8D+ceaEhwYE2LgbbDUSJa2p1tBiXQ6
SGu6nX0nyXL5p7zzRhAl/ao5cZ/FTijvdQe1Vzm7qArKj6A3ir5YOWzSnaCbfbSm
J2pPgZZCNybzStmcoZ73GgBJxIh89vixfBRLTJVECePLTw2gBmoxR1ziqs0pKW3H
y3VKBb+QMJAVmRwRlonMTgT5gHa8bCL8U7Qvx9jOrApOEqFee3dytIOoVsCUkNh0
vOKmlLuqrIopdbJm8F58qOV/eR5chfxax9jOSHkZ812LyMyxr8y6wn3d26XF4Ho1
tGRAYDI77qaLxaPbzIFas1t9X/+U+sz3Bg0exmi9/mp9wwvLJh3XOC+2MaHzBXGl
x+MvgOYIvEtZXVvfwjay19rhJRvn0D497VaVrhw7md5IbKY42h5qUCCzlHsqHEe5
YDxswWadH4fZhy+cEatf29lYJ2BaK+PIsmp22bxbxdGdoZ2cbqQXIko+3XxaiVp5
z7V5USx9zNkfsrbz
=3tFx
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5958-1
March 16, 2023

ffmpeg vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in FFmpeg.

Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files

Details:

It was discovered that FFmpeg could be made to dereference a null
pointer. An attacker could possibly use this to cause a denial of
service via application crash. These issues only affected Ubuntu
16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. (CVE-2022-3109, CVE-2022-3341)

It was discovered that FFmpeg could be made to access an out-of-bounds
frame by the Apple RPZA encoder. An attacker could possibly use this
to cause a denial of service via application crash or access sensitive
information. This issue only affected Ubuntu 20.04 LTS and Ubuntu
22.10. (CVE-2022-3964)

It was discovered that FFmpeg could be made to access an out-of-bounds
frame by the QuickTime encoder. An attacker could possibly use this to
cause a denial of service via application crash or access sensitive
information. This issue only affected Ubuntu 22.10. (CVE-2022-3965)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
ffmpeg 7:5.1.1-1ubuntu2.1
libavcodec-extra 7:5.1.1-1ubuntu2.1
libavcodec-extra59 7:5.1.1-1ubuntu2.1
libavcodec59 7:5.1.1-1ubuntu2.1
libavdevice59 7:5.1.1-1ubuntu2.1
libavfilter-extra 7:5.1.1-1ubuntu2.1
libavfilter-extra8 7:5.1.1-1ubuntu2.1
libavfilter8 7:5.1.1-1ubuntu2.1
libavformat-extra 7:5.1.1-1ubuntu2.1
libavformat-extra59 7:5.1.1-1ubuntu2.1
libavformat59 7:5.1.1-1ubuntu2.1
libavutil57 7:5.1.1-1ubuntu2.1
libpostproc56 7:5.1.1-1ubuntu2.1
libswresample4 7:5.1.1-1ubuntu2.1
libswscale6 7:5.1.1-1ubuntu2.1

Ubuntu 22.04 LTS:
ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm1
libavcodec-extra 7:4.4.2-0ubuntu0.22.04.1+esm1
libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavfilter-extra 7:4.4.2-0ubuntu0.22.04.1+esm1
libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm1
libavfilter7 7:4.4.2-0ubuntu0.22.04.1+esm1
libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm1
libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm1
libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm1
libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm1
libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm1

Ubuntu 20.04 LTS:
ffmpeg 7:4.2.7-0ubuntu0.1+esm1
libavcodec-extra 7:4.2.7-0ubuntu0.1+esm1
libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm1
libavcodec58 7:4.2.7-0ubuntu0.1+esm1
libavdevice58 7:4.2.7-0ubuntu0.1+esm1
libavfilter-extra 7:4.2.7-0ubuntu0.1+esm1
libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm1
libavfilter7 7:4.2.7-0ubuntu0.1+esm1
libavformat58 7:4.2.7-0ubuntu0.1+esm1
libavresample4 7:4.2.7-0ubuntu0.1+esm1
libavutil56 7:4.2.7-0ubuntu0.1+esm1
libpostproc55 7:4.2.7-0ubuntu0.1+esm1
libswresample3 7:4.2.7-0ubuntu0.1+esm1
libswscale5 7:4.2.7-0ubuntu0.1+esm1

Ubuntu 18.04 LTS:
ffmpeg 7:3.4.11-0ubuntu0.1+esm1
libavcodec-extra 7:3.4.11-0ubuntu0.1+esm1
libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm1
libavcodec57 7:3.4.11-0ubuntu0.1+esm1
libavdevice57 7:3.4.11-0ubuntu0.1+esm1
libavfilter-extra 7:3.4.11-0ubuntu0.1+esm1
libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm1
libavfilter6 7:3.4.11-0ubuntu0.1+esm1
libavformat57 7:3.4.11-0ubuntu0.1+esm1
libavresample3 7:3.4.11-0ubuntu0.1+esm1
libavutil55 7:3.4.11-0ubuntu0.1+esm1
libpostproc54 7:3.4.11-0ubuntu0.1+esm1
libswresample2 7:3.4.11-0ubuntu0.1+esm1
libswscale4 7:3.4.11-0ubuntu0.1+esm1

Ubuntu 16.04 ESM:
ffmpeg 7:2.8.17-0ubuntu0.1+esm5
libav-tools 7:2.8.17-0ubuntu0.1+esm5
libavcodec-extra 7:2.8.17-0ubuntu0.1+esm5
libavcodec-ffmpeg-extra56 7:2.8.17-0ubuntu0.1+esm5
libavcodec-ffmpeg56 7:2.8.17-0ubuntu0.1+esm5
libavdevice-ffmpeg56 7:2.8.17-0ubuntu0.1+esm5
libavfilter-ffmpeg5 7:2.8.17-0ubuntu0.1+esm5
libavformat-ffmpeg56 7:2.8.17-0ubuntu0.1+esm5
libavresample-ffmpeg2 7:2.8.17-0ubuntu0.1+esm5
libavutil-ffmpeg54 7:2.8.17-0ubuntu0.1+esm5
libpostproc-ffmpeg53 7:2.8.17-0ubuntu0.1+esm5
libswresample-ffmpeg1 7:2.8.17-0ubuntu0.1+esm5
libswscale-ffmpeg3 7:2.8.17-0ubuntu0.1+esm5

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5958-1
CVE-2022-3109, CVE-2022-3341, CVE-2022-3964, CVE-2022-3965,
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/2007269

Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/7:5.1.1-1ubuntu2.1

Wednesday, March 15, 2023

[USN-5958-1] FFmpeg vulnerabilities

No comments:

Post a Comment