Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ffmpeg-6 for openSUSE:Factory checked in at 2025-04-18 16:20:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg-6 (Old) and /work/SRC/openSUSE:Factory/.ffmpeg-6.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg-6" Fri Apr 18 16:20:37 2025 rev:20 rq:1270302 version:6.1.2 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg-6/ffmpeg-6.changes 2025-03-21 20:22:40.803403428 +0100 +++ /work/SRC/openSUSE:Factory/.ffmpeg-6.new.30101/ffmpeg-6.changes 2025-04-20 19:52:09.469346494 +0200 @@ -1,0 +2,57 @@ +Fri Mar 21 05:24:02 UTC 2025 - Cliff Zhao <[email protected]> + +- Add ffmpeg-6-CVE-2025-22921.patch: + Backport 7f9c7f98 from upstream, clear array length when + freeing it. + (CVE-2025-22921, bsc#1237382) + +------------------------------------------------------------------- +Fri Mar 21 04:49:12 UTC 2025 - Cliff Zhao <[email protected]> + +- Add ffmpeg-6-CVE-2025-25473.patch: + Backport c08d3004 from upstream, clear FFFormatContext packet. + When packet_buffer is used in mux.c, and if a muxing process fails + at a point where packets remained in said queue. + (CVE-2025-25473, bsc#1237351) + +------------------------------------------------------------------- +Fri Mar 21 04:22:02 UTC 2025 - Cliff Zhao <[email protected]> + +- Add ffmpeg-6-CVE-2025-0518.patch: + Backport b5b6391d from upstream, fixes memory data leak when + use sscanf(). + (CVE-2025-0518, bsc#1236007) + +------------------------------------------------------------------- +Fri Mar 21 03:52:18 UTC 2025 - Cliff Zhao <[email protected]> + +- Add ffmpeg-6-CVE-2025-22919.patch: + Backport 1446e37d from upstream, check for valid sample rate + As the sample rate <= 0 is invalid. + (CVE-2025-22919, bsc#1237371) + +------------------------------------------------------------------- +Fri Mar 21 03:21:06 UTC 2025 - Cliff Zhao <[email protected]> + +- Add ffmpeg-6-CVE-2024-12361.patch: + Backport 4065ff69 from upstream, add check for av_packet_new_side_data() + to avoid null pointer dereference if allocation fails. + (CVE-2024-12361, bsc#1237358) + +------------------------------------------------------------------- +Fri Mar 21 02:48:12 UTC 2025 - Cliff Zhao <[email protected]> + +- Add ffmpeg-6-CVE-2024-35365.patch: + Backport ced5c5fdb from upstream, Fix double-free on error. + (CVE-2024-35365, bsc#1235091) + +------------------------------------------------------------------- +Fri Mar 21 02:06:21 UTC 2025 - Cliff Zhao <[email protected]> + +- Add ffmpeg-6-CVE-2024-35368.patch: + Backport 45133009 from upstream, After having created the + AVBuffer that is put into frame->buf[0], ownership of several + objects Fix double-free on the AVFrame is unreferenced. + (CVE-2024-35368, bsc#1234028) + +------------------------------------------------------------------- @@ -11,5 +68,8 @@ -- Remove incorporated patches: - 0001-avcodec-tests-rename-the-bundled-Mesa-AV1-vulkan-vid.patch, - ffmpeg-6-CVE-2024-7055.patch and ffmpeg-6-CVE-2024-32230.patch - Upstream changes: - See /usr/shar/doc/packages/ffmpeg-6/Changelog + avcodec/pnmdec: Use 64bit for input size check (CVE-2024-7055, bsc#1229026) + avcodec/mpegvideo_enc: Fix 1 line and one column images (CVE-2024-32230, bsc#1227296) + avcodec/tests: rename the bundled Mesa AV1 vulkan video headers. + etc +- Remove patches already merged to upstream: + 0001-avcodec-tests-rename-the-bundled-Mesa-AV1-vulkan-vid.patch + ffmpeg-6-CVE-2024-7055.patch + ffmpeg-6-CVE-2024-32230.patch @@ -24,0 +85,9 @@ +Sun Sep 29 07:36:13 UTC 2024 - Cliff Zhao <[email protected]> + +- Update ffmpeg-6.spec: + Disable xvid plugin build and dependence, since legal reviewers + are concerned xvid patents have not expired in Brazil, which should + not be used in a commercial context. + https://en.wikipedia.org/wiki/Xvid + +------------------------------------------------------------------- @@ -28 +97,10 @@ - (boo#1230983) + (boo#1230983, boo#1219494) + +- dropping support for libmfx below covers: + * libmfx: improper input validation (CVE-2023-48368, bsc#1226897) + * libmfx: improper buffer restrictions (CVE-2023-45221, bsc#1226898) + * libmfx: out-of-bounds read (CVE-2023-22656, bsc#1226899) + * libmfx: out-of-bounds write (CVE-2023-47282, bsc#1226900) + * libmfx: improper buffer restrictions (CVE-2023-47169, bsc#1226901) + * Multiple vulnerabilities in the Intel Media SDK (libmfx1) (bsc#1226892) + * Drop libmfx dependency from our product (jira #PED-10024) @@ -34 +112 @@ - Backporting 3faadbe2 from upstream, Use 64bit for input size check, + Backport 3faadbe2 from upstream, Use 64bit for input size check, @@ -68 +146 @@ - Backporting 96449cfe from upstream, Fix 1 line and one column images. + Backport 96449cfe from upstream, Fix 1 line and one column images. @@ -75 +153 @@ - Backporting 45964876 from upstream, Fix segfault on invalid film + Backport 45964876 from upstream, Fix segfault on invalid film @@ -83 +161 @@ - Backporting 5d7f234e from upstream, document that there can be multiple + Backport 5d7f234e from upstream, document that there can be multiple @@ -91 +169 @@ - Backporting f50382cb from upstream, implement AFGS1 parsing. + Backport f50382cb from upstream, implement AFGS1 parsing. @@ -99 +177 @@ - Backporting 1535d338 from upstream, add AOM film grain synthesis, + Backport 1535d338 from upstream, add AOM film grain synthesis, @@ -107 +185 @@ - Backporting 5f87a68c from upstream, Fix memory leaks. + Backport 5f87a68c from upstream, Fix memory leaks. @@ -114 +192 @@ - Backporting b1942734 from upstream, Fix crash with EOF handling. + Backport b1942734 from upstream, Fix crash with EOF handling. @@ -181,0 +260,3 @@ + * avfilter/vf_minterpolate: Check pts before division (CVE-2023-51798, bsc#1223304) + * avfilter/vf_weave: Fix odd height handling (CVE-2023-51793, bsc#1223272) + * avfilter/vf_gradfun: Do not overread last line (CVE-2023-51793, bsc#122325) New: ---- ffmpeg-6-CVE-2024-12361.patch ffmpeg-6-CVE-2024-35365.patch ffmpeg-6-CVE-2024-35368.patch ffmpeg-6-CVE-2025-0518.patch ffmpeg-6-CVE-2025-22919.patch ffmpeg-6-CVE-2025-22921.patch ffmpeg-6-CVE-2025-25473.patch BETA DEBUG BEGIN: New: - Add ffmpeg-6-CVE-2024-12361.patch: Backport 4065ff69 from upstream, add check for av_packet_new_side_data() New: - Add ffmpeg-6-CVE-2024-35365.patch: Backport ced5c5fdb from upstream, Fix double-free on error. New: - Add ffmpeg-6-CVE-2024-35368.patch: Backport 45133009 from upstream, After having created the New: - Add ffmpeg-6-CVE-2025-0518.patch: Backport b5b6391d from upstream, fixes memory data leak when New: - Add ffmpeg-6-CVE-2025-22919.patch: Backport 1446e37d from upstream, check for valid sample rate New: - Add ffmpeg-6-CVE-2025-22921.patch: Backport 7f9c7f98 from upstream, clear array length when New: - Add ffmpeg-6-CVE-2025-25473.patch: Backport c08d3004 from upstream, clear FFFormatContext packet. BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg-6.spec ++++++ --- /var/tmp/diff_new_pack.z0ezkv/_old 2025-04-20 19:52:10.325382120 +0200 +++ /var/tmp/diff_new_pack.z0ezkv/_new 2025-04-20 19:52:10.325382120 +0200 @@ -60,7 +60,13 @@ %bcond_with smbclient %bcond_with x264 %bcond_with x265 + +# openSUSE legal reviewers are concerned xvid patents and should not be used in commercial context. +%if !0%{?is_opensuse} %bcond_with xvid +%else +%bcond_without xvid +%endif %if 0%{?suse_version} > 1500 %bcond_without mysofa @@ -70,7 +76,6 @@ %bcond_without vulkan %bcond_without amrwb %bcond_without opencore -%bcond_without xvid %else %bcond_with mysofa %bcond_with vidstab @@ -125,6 +130,13 @@ Patch94: ffmpeg-6-CVE-2024-32228-shim-1535d338.patch Patch95: ffmpeg-6-CVE-2024-32228-shim-f50382cb.patch Patch97: ffmpeg-c99.patch +Patch98: ffmpeg-6-CVE-2024-35368.patch +Patch99: ffmpeg-6-CVE-2024-35365.patch +Patch100: ffmpeg-6-CVE-2024-12361.patch +Patch101: ffmpeg-6-CVE-2025-22919.patch +Patch102: ffmpeg-6-CVE-2025-0518.patch +Patch103: ffmpeg-6-CVE-2025-25473.patch +Patch104: ffmpeg-6-CVE-2025-22921.patch # # preamble is present twice, watch out # @@ -671,6 +683,8 @@ %endif %if %{with xvid} --enable-libxvid \ +%else + --disable-libxvid \ %endif %if !0%{?BUILD_ORIG} --enable-muxers \ @@ -826,6 +840,7 @@ Source2: https://www.ffmpeg.org/releases/%_name-%version.tar.xz.asc Source3: ffmpeg-6-rpmlintrc Source98: http://ffmpeg.org/ffmpeg-devel.asc#/ffmpeg-6.keyring + Patch1: ffmpeg-arm6l.diff Patch3: ffmpeg-codec-choice.diff Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch @@ -839,6 +854,7 @@ Patch13: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch Patch14: 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch Patch15: 11013-avcodec-decode-clean-up-if-get_hw_frames_parameters-.patch +Patch16: 0001-avcodec-libsvtav1-unbreak-build-with-latest-svtav1.patch Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch92: ffmpeg-CVE-2023-50007.patch @@ -846,6 +862,14 @@ Patch94: ffmpeg-6-CVE-2024-32228-shim-1535d338.patch Patch95: ffmpeg-6-CVE-2024-32228-shim-f50382cb.patch Patch97: ffmpeg-c99.patch +Patch99: ffmpeg-6-CVE-2024-35368.patch +Patch100: ffmpeg-6-CVE-2024-35365.patch +Patch101: ffmpeg-6-CVE-2024-12361.patch +Patch102: ffmpeg-6-CVE-2025-22919.patch +Patch103: ffmpeg-6-CVE-2025-0518.patch +Patch104: ffmpeg-6-CVE-2025-25473.patch +Patch105: ffmpeg-6-CVE-2025-22921.patch + BuildRequires: c_compiler Requires: this-is-only-for-build-envs ++++++ ffmpeg-6-CVE-2024-12361.patch ++++++ >From 4065ff69a2ed49872f8694a03d0642b18c9d977c Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang <[email protected]> Date: Mon, 10 Jun 2024 14:18:11 +0000 Subject: [PATCH] avcodec/mpegvideo_enc: Add check for av_packet_new_side_data() Add check for av_packet_new_side_data() to avoid null pointer dereference if allocation fails. Fixes: bdc1220eeb ("h263enc: Add an option for outputting info about MBs as side data") Signed-off-by: Jiasheng Jiang <[email protected]> Signed-off-by: Anton Khirnov <[email protected]> --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 620ca08869..d33754d115 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1825,6 +1825,8 @@ int ff_mpv_encode_picture(AVCodecContext *avctx, AVPacket *pkt, s->mb_info_ptr = av_packet_new_side_data(pkt, AV_PKT_DATA_H263_MB_INFO, s->mb_width*s->mb_height*12); + if (!s->mb_info_ptr) + return AVERROR(ENOMEM); s->prev_mb_info = s->last_mb_info = s->mb_info_size = 0; } -- 2.41.0 ++++++ ffmpeg-6-CVE-2024-35365.patch ++++++ >From ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt <[email protected]> Date: Mon, 25 Mar 2024 16:54:25 +0100 Subject: [PATCH] fftools/ffmpeg_mux_init: Fix double-free on error MATCH_PER_STREAM_OPT iterates over all options of a given OptionDef and tests whether they apply to the current stream; if so, they are set to ost->apad, otherwise, the code errors out. If no error happens, ost->apad is av_strdup'ed in order to take ownership of this pointer. But this means that setting it originally was premature, as it leads to double-frees when an error happens lateron. This can simply be reproduced with ffmpeg -filter_complex anullsrc -apad bar -apad:n baz -f null - This is a regression since 83ace80bfd80fcdba2c65fa1d554923ea931d5bd. Fix this by using a temporary variable instead of directly setting ost->apad. Also only strdup the string if it actually is != NULL. Reviewed-by: Marth64 <[email protected]> Signed-off-by: Andreas Rheinhardt <[email protected]> --- fftools/ffmpeg_mux_init.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c index 818d76acda..d3d7d022ff 100644 --- a/fftools/ffmpeg_mux_init.c +++ b/fftools/ffmpeg_mux_init.c @@ -845,6 +845,7 @@ int channels = 0; char *layout = NULL; char *sample_fmt = NULL; + const char *apad = NULL; MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st); if (channels) { @@ -882,8 +883,12 @@ MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc, st); - MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st); - ost->apad = av_strdup(ost->apad); + MATCH_PER_STREAM_OPT(apad, str, apad, oc, st); + if (apad) { + ost->apad = av_strdup(apad); + if (!ost->apad) + return AVERROR(ENOMEM); + } #if FFMPEG_OPT_MAP_CHANNEL /* check for channel mapping for this audio stream */ -- 2.41.0 ++++++ ffmpeg-6-CVE-2024-35368.patch ++++++ >From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt <[email protected]> Date: Sun, 24 Sep 2023 13:15:48 +0200 Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error After having created the AVBuffer that is put into frame->buf[0], ownership of several objects (namely an AVDRMFrameDescriptor, an MppFrame and some AVBufferRefs framecontextref and decoder_ref) has passed to the AVBuffer and therefore to the frame. Yet it has nevertheless been freed manually on error afterwards, which would lead to a double-free as soon as the AVFrame is unreferenced. Signed-off-by: Andreas Rheinhardt <[email protected]> --- libavcodec/rkmppdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c index 7665098c6a..6889545b20 100644 --- a/libavcodec/rkmppdec.c +++ b/libavcodec/rkmppdec.c @@ -463,8 +463,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame) frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref); if (!frame->hw_frames_ctx) { - ret = AVERROR(ENOMEM); - goto fail; + av_frame_unref(frame); + return AVERROR(ENOMEM); } return 0; -- 2.41.0 ++++++ ffmpeg-6-CVE-2025-0518.patch ++++++ >From b5b6391d64807578ab872dc58fb8aa621dcfc38a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 6 Jan 2025 22:01:39 +0100 Subject: [PATCH] avfilter/af_pan: Fix sscanf() use Fixes: Memory Data Leak Found-by: Simcha Kosman <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/af_pan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 0d20b0307b..5feb2439c7 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -196,7 +196,7 @@ static av_cold int init(AVFilterContext *ctx) sign = 1; while (1) { gain = 1; - if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) + if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) arg += len; if (parse_channel_name(&arg, &in_ch_id, &named)){ av_log(ctx, AV_LOG_ERROR, -- 2.41.0 ++++++ ffmpeg-6-CVE-2025-22919.patch ++++++ >From 1446e37d3d032e1452844778b3e6ba2c20f0c322 Mon Sep 17 00:00:00 2001 From: James Almer <[email protected]> Date: Mon, 30 Dec 2024 00:25:41 -0300 Subject: [PATCH] avfilter/buffersrc: check for valid sample rate A sample rate <= 0 is invalid. Fixes an assert in ffmpeg_enc.c that assumed a valid sample rate would be set. Fixes ticket #11385. Signed-off-by: James Almer <[email protected]> --- libavfilter/buffersrc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index bdf8b14451..c921803c67 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -421,6 +421,11 @@ static av_cold int init_audio(AVFilterContext *ctx) av_channel_layout_describe(&s->ch_layout, buf, sizeof(buf)); } + if (s->sample_rate <= 0) { + av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n"); + return AVERROR(EINVAL); + } + if (!s->time_base.num) s->time_base = (AVRational){1, s->sample_rate}; -- 2.41.0 ++++++ ffmpeg-6-CVE-2025-22921.patch ++++++ >From 7f9c7f9849a2155224711f0ff57ecdac6e4bfb57 Mon Sep 17 00:00:00 2001 From: James Almer <[email protected]> Date: Wed, 1 Jan 2025 23:58:39 -0300 Subject: [PATCH] avcodec/jpeg2000dec: clear array length when freeing it Fixes NULL pointer dereferences. Fixes ticket #11393. Reviewed-by: Michael Niedermayer <[email protected]> Signed-off-by: James Almer <[email protected]> --- libavcodec/jpeg2000dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index e5e897a29f..b82d85d5ee 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1521,6 +1521,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, } } av_freep(&cblk->lengthinc); + cblk->nb_lengthinc = 0; } } // Save state of stream -- 2.41.0 ++++++ ffmpeg-6-CVE-2025-25473.patch ++++++ >From c08d300481b8ebb846cd43a473988fdbc6793d1b Mon Sep 17 00:00:00 2001 From: James Almer <[email protected]> Date: Fri, 17 Jan 2025 00:05:31 -0300 Subject: [PATCH] avformat/avformat: also clear FFFormatContext packet queue when closing a muxer packet_buffer is used in mux.c, and if a muxing process fails at a point where packets remained in said queue, they will leak. Fixes ticket #11419 Signed-off-by: James Almer <[email protected]> --- libavformat/avformat.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/avformat.c b/libavformat/avformat.c index eb9afad837..3801ef5d58 100644 --- a/libavformat/avformat.c +++ b/libavformat/avformat.c @@ -138,6 +138,7 @@ av_dict_free(&si->id3v2_meta); av_packet_free(&si->pkt); av_packet_free(&si->parse_pkt); + avpriv_packet_list_free(&si->packet_buffer); av_freep(&s->streams); ff_flush_packet_queue(s); av_freep(&s->url); -- 2.41.0
