-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2742-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky August 14, 2021 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : ffmpeg Version : 7:3.2.15-0+deb9u3 CVE ID : CVE-2020-21041 CVE-2020-22015 CVE-2020-22016 CVE-2020-22020 CVE-2020-22021 CVE-2020-22022 CVE-2020-22023 CVE-2020-22025 CVE-2020-22026 CVE-2020-22028 CVE-2020-22031 CVE-2020-22032 CVE-2020-22036 CVE-2021-3566 CVE-2021-38114 Multiple issues have been discovered in ffmpeg. CVE-2020-21041 Buffer Overflow vulnerability exists via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service. CVE-2020-22015 Buffer Overflow vulnerability in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial of Service, or execute arbitrary code. CVE-2020-22016 A heap-based Buffer Overflow vulnerability at libavcodec/get_bits.h when writing .mov files, which might lead to memory corruption and other potential consequences. CVE-2020-22020 Buffer Overflow vulnerability in the build_diff_map function in libavfilter/vf_fieldmatch.c, which could let a remote malicious user cause a Denial of Service. CVE-2020-22021 Buffer Overflow vulnerability at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a Denial of Service. CVE-2020-22022 A heap-based Buffer Overflow vulnerability exists in filter_frame at libavfilter/vf_fieldorder.c, which might lead to memory corruption and other potential consequences. CVE-2020-22023 A heap-based Buffer Overflow vulnerabililty exists in filter_frame at libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and other potential consequences. CVE-2020-22025 A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences. CVE-2020-22026 Buffer Overflow vulnerability exists in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service. CVE-2020-22028 Buffer Overflow vulnerability in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service. CVE-2020-22031 A Heap-based Buffer Overflow vulnerability in filter16_complex_low, which might lead to memory corruption and other potential consequences. CVE-2020-22032 A heap-based Buffer Overflow vulnerability in gaussian_blur, which might lead to memory corruption and other potential consequences. CVE-2020-22036 A heap-based Buffer Overflow vulnerability in filter_intra at libavfilter/vf_bwdif.c, which might lead to memory corruption and other potential consequences. CVE-2021-3566 The tty demuxer did not have a 'read_probe' function assigned to it. By crafting a legitimate "ffconcat" file that references an image, followed by a file the triggers the tty demuxer, the contents of the second file will be copied into the output file verbatim (as long as the `-vcodec copy` option is passed to ffmpeg). CVE-2021-38114 libavcodec/dnxhddec.c does not check the return value of the init_vlc function. Crafted DNxHD data can cause unspecified impact. For Debian 9 stretch, these problems have been fixed in version 7:3.2.15-0+deb9u3. We recommend that you upgrade your ffmpeg packages. For the detailed security status of ffmpeg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ffmpeg Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmEYnuUACgkQ0+Fzg8+n /wZjLw//SqRxR5dxNq3k6PHU198Mj9rVuPinsKS1yucBMslAznMYYpIC0PWptNVH Dv/5ZFLZg6lMmZJ/okNtwBs/ctJF2mBGUlp8xFgmKJlVmKszM4H2WJzvLivN4nAt IlWCiuS1ODdQEtZOKBiTVi9OEUvjjRZdRFdvmtNlz36ng4mGe2e70sg+leexfhhN lwCuGP1Zq4u/OuxitlP8VlLciGuFPbxnKhN26pHykrdMnkd1VwE3tyDK1T2jKzZX hVbpqhDgxTseo5P7g/+Ciz9rm4yYRTA2njzEN+eyA6AQV8ZrYF259BaWaJLqWvLI RdQmaFeZ3K0DpW3k0PX2BWb0aeV5rltdWjCq12sJr0bMkosEbx2MK0pYdVtCdF1t uo9DmGLpu1ihwF09BpyQ91dC0NYb8n6opB7bGmif76pkLNROmCNqn2G+AKSwSCig w9pY+KFf8U6+888fcjI4I9kupbqDuRIOSvtkdVOxcQF6tmkT+mw8nWsUi2WnAux3 DITYEPQvHPxHcfNCSqwoIRVX17gD1S3CbBfpwYJTMEQMHRbdNaybVmdLQGbzGFwL vxinW2Psd+wRym+pJKGIvLg167GVTDCbH0yRbI1BCG1K4xO1TO8JtGyQSOhR0GPB 4OCMi3/WNTZ+KlBVBjHauqZ34YIaaJ0xxNwL5l+gDgpojIB2+Tw= =zUxe -----END PGP SIGNATURE-----