Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ffmpeg-4 for openSUSE:Factory checked in at 2026-01-12 11:49:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg-4 (Old) and /work/SRC/openSUSE:Factory/.ffmpeg-4.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg-4" Mon Jan 12 11:49:16 2026 rev:90 rq:1326658 version:4.4.6 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg-4/ffmpeg-4.changes 2025-10-16 17:38:34.391972329 +0200 +++ /work/SRC/openSUSE:Factory/.ffmpeg-4.new.1928/ffmpeg-4.changes 2026-01-12 11:49:18.551577975 +0100 @@ -1,0 +2,26 @@ +Sun Jan 08 10:04:01 UTC 2026 - Cliff Zhao <[email protected]> + +- Add ffmpeg-4-CVE-2023-6601-shim01-6b1f68cc.patch: + Backport 6b1f68cc from upstream, fail on probing non hls/m3u8 file + extensions. Its unexpected that a .avi or other "standard" file turns + into a playlist. The goal of this patch is to avoid this unexpected + behavior and possible privacy or security differences. + (CVE-2023-6601, bsc#1220545) +- Add ffmpeg-4-CVE-2023-6601-shim02-954d16fa.patch: + Backport 954d16fa from upstream, Try to implement RFC8216 playlist + refusal. + (CVE-2023-6601, bsc#1220545) +- Add ffmpeg-4-CVE-2023-6601-shim03-a0cb5722.patch: + Backport a0cb5722 from upstream, Check mime_ok first, This should + be a few nano seconds faster (not measureable), But Collectively + the whole humankind watching hls will safe a minute. + (CVE-2023-6601, bsc#1220545) +- Add ffmpeg-4-CVE-2023-6601-shim04-5b630743.patch: + Backport 5b630743 from upstream, Better message from hls_probe() + (CVE-2023-6601, bsc#1220545) +- Add ffmpeg-4-CVE-2023-6601.patch: + Backport d09f50c0f from upstream, remove non standard hls + extension. + (CVE-2023-6601, bsc#1220545) + +------------------------------------------------------------------- New: ---- ffmpeg-4-CVE-2023-6601-shim01-6b1f68cc.patch ffmpeg-4-CVE-2023-6601-shim02-954d16fa.patch ffmpeg-4-CVE-2023-6601-shim03-a0cb5722.patch ffmpeg-4-CVE-2023-6601-shim04-5b630743.patch ffmpeg-4-CVE-2023-6601.patch ----------(New B)---------- New: - Add ffmpeg-4-CVE-2023-6601-shim01-6b1f68cc.patch: Backport 6b1f68cc from upstream, fail on probing non hls/m3u8 file New: (CVE-2023-6601, bsc#1220545) - Add ffmpeg-4-CVE-2023-6601-shim02-954d16fa.patch: Backport 954d16fa from upstream, Try to implement RFC8216 playlist New: (CVE-2023-6601, bsc#1220545) - Add ffmpeg-4-CVE-2023-6601-shim03-a0cb5722.patch: Backport a0cb5722 from upstream, Check mime_ok first, This should New: (CVE-2023-6601, bsc#1220545) - Add ffmpeg-4-CVE-2023-6601-shim04-5b630743.patch: Backport 5b630743 from upstream, Better message from hls_probe() New: (CVE-2023-6601, bsc#1220545) - Add ffmpeg-4-CVE-2023-6601.patch: Backport d09f50c0f from upstream, remove non standard hls ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg-4.spec ++++++ --- /var/tmp/diff_new_pack.0C3RSh/_old 2026-01-12 11:49:19.803629953 +0100 +++ /var/tmp/diff_new_pack.0C3RSh/_new 2026-01-12 11:49:19.807630119 +0100 @@ -145,6 +145,11 @@ Patch32: ffmpeg-4-CVE-2025-7700.patch Patch33: glslang16.patch Patch34: ffmpeg-4-CVE-2025-59728.patch +Patch35: ffmpeg-4-CVE-2023-6601-shim01-6b1f68cc.patch +Patch36: ffmpeg-4-CVE-2023-6601-shim02-954d16fa.patch +Patch37: ffmpeg-4-CVE-2023-6601-shim03-a0cb5722.patch +Patch38: ffmpeg-4-CVE-2023-6601-shim04-5b630743.patch +Patch39: ffmpeg-4-CVE-2023-6601.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.0C3RSh/_old 2026-01-12 11:49:19.871632776 +0100 +++ /var/tmp/diff_new_pack.0C3RSh/_new 2026-01-12 11:49:19.879633109 +0100 @@ -1,5 +1,5 @@ -mtime: 1760495051 -commit: 0cacb49da48ff116c5cdfb43b3550578dc885e4023f39c1b49ac9ed044f4826f +mtime: 1768150023 +commit: 65be89cacb68c556844a421f2bbe7a6a68bc94307f5df0b01c7b523913016551 url: https://src.opensuse.org/jengelh/ffmpeg-4 revision: master ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-01-11 17:50:59.000000000 +0100 @@ -0,0 +1 @@ +.osc ++++++ ffmpeg-4-CVE-2023-6601-shim01-6b1f68cc.patch ++++++ >From 6b1f68ccb04d791f0250e05687c346a99ff47ea1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Wed, 3 May 2023 13:08:35 +0200 Subject: [PATCH] avformat/hls: fail on probing non hls/m3u8 file extensions Its unexpected that a .avi or other "standard" file turns into a playlist. The goal of this patch is to avoid this unexpected behavior and possible privacy or security differences. Reviewed-by: Steven Liu <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/hls.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 8a96a37ff9..11e345b280 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2532,8 +2532,15 @@ static int hls_probe(const AVProbeData *p) if (strstr(p->buf, "#EXT-X-STREAM-INF:") || strstr(p->buf, "#EXT-X-TARGETDURATION:") || - strstr(p->buf, "#EXT-X-MEDIA-SEQUENCE:")) + strstr(p->buf, "#EXT-X-MEDIA-SEQUENCE:")) { + + if (!av_match_ext(p->filename, "m3u8,hls,m3u")) { + av_log(NULL, AV_LOG_ERROR, "Not detecting m3u8/hls with non standard extension\n"); + return 0; + } + return AVPROBE_SCORE_MAX; + } return 0; } -- 2.52.0 ++++++ ffmpeg-4-CVE-2023-6601-shim02-954d16fa.patch ++++++ >From 954d16fa3f09a04c7917a1c69a5c3e283554cb1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 15 May 2023 00:56:10 +0200 Subject: [PATCH] avformat/hls: Try to implement RFC8216 playlist refusal This should fix the regression since 6b1f68ccb04d791f0250e05687c346a99ff47ea1 Should fix Ticket10353 (please test and report cases that still fail) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/hls.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 11e345b280..425df3b26b 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2534,7 +2534,16 @@ static int hls_probe(const AVProbeData *p) strstr(p->buf, "#EXT-X-TARGETDURATION:") || strstr(p->buf, "#EXT-X-MEDIA-SEQUENCE:")) { - if (!av_match_ext(p->filename, "m3u8,hls,m3u")) { + int mime_ok = p->mime_type && !( + av_strcasecmp(p->mime_type, "application/vnd.apple.mpegurl") && + av_strcasecmp(p->mime_type, "audio/mpegurl") && + av_strcasecmp(p->mime_type, "audio/x-mpegurl") && + av_strcasecmp(p->mime_type, "application/x-mpegurl") + ); + + if (!av_match_ext (p->filename, "m3u8,hls,m3u") && + ff_match_url_ext(p->filename, "m3u8,hls,m3u") <= 0 && + !mime_ok) { av_log(NULL, AV_LOG_ERROR, "Not detecting m3u8/hls with non standard extension\n"); return 0; } -- 2.52.0 ++++++ ffmpeg-4-CVE-2023-6601-shim03-a0cb5722.patch ++++++ >From a0cb5722fda9bd03b7be31a83b043966f0fd71b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 15 May 2023 21:28:26 +0200 Subject: [PATCH] avformat/hls: Check mime_ok first This should be a few nano seconds faster (not measureable) But Collectively the whole humankind watching hls will safe a minute Found-by: Leo Izen Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/hls.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 425df3b26b..fc29ef0ca9 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2541,9 +2541,9 @@ static int hls_probe(const AVProbeData *p) av_strcasecmp(p->mime_type, "application/x-mpegurl") ); - if (!av_match_ext (p->filename, "m3u8,hls,m3u") && - ff_match_url_ext(p->filename, "m3u8,hls,m3u") <= 0 && - !mime_ok) { + if (!mime_ok && + !av_match_ext (p->filename, "m3u8,hls,m3u") && + ff_match_url_ext(p->filename, "m3u8,hls,m3u") <= 0) { av_log(NULL, AV_LOG_ERROR, "Not detecting m3u8/hls with non standard extension\n"); return 0; } -- 2.52.0 ++++++ ffmpeg-4-CVE-2023-6601-shim04-5b630743.patch ++++++ >From 5b630743c625669b7c6ee4a01d4e0e8b51d7e636 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 15 May 2023 21:33:03 +0200 Subject: [PATCH] avformat/hls: Better message from hls_probe() Found-by: Kacper Michajlow <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/hls.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index fc29ef0ca9..2bc142510e 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2536,17 +2536,23 @@ static int hls_probe(const AVProbeData *p) int mime_ok = p->mime_type && !( av_strcasecmp(p->mime_type, "application/vnd.apple.mpegurl") && - av_strcasecmp(p->mime_type, "audio/mpegurl") && + av_strcasecmp(p->mime_type, "audio/mpegurl") + ); + + int mime_x = p->mime_type && !( av_strcasecmp(p->mime_type, "audio/x-mpegurl") && av_strcasecmp(p->mime_type, "application/x-mpegurl") ); if (!mime_ok && + !mime_x && !av_match_ext (p->filename, "m3u8,hls,m3u") && ff_match_url_ext(p->filename, "m3u8,hls,m3u") <= 0) { - av_log(NULL, AV_LOG_ERROR, "Not detecting m3u8/hls with non standard extension\n"); + av_log(NULL, AV_LOG_ERROR, "Not detecting m3u8/hls with non standard extension and non standard mime type\n"); return 0; } + if (mime_x) + av_log(NULL, AV_LOG_WARNING, "mime type is not rfc8216 compliant\n"); return AVPROBE_SCORE_MAX; } -- 2.52.0 ++++++ ffmpeg-4-CVE-2023-6601.patch ++++++ >From d09f50c0f5f045dec35f0ca22c2212fae2378dba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 15 May 2023 21:39:13 +0200 Subject: [PATCH] avformat/hls: remove non standard hls extension Suggested-by: Kacper Michajlow <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/hls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 2bc142510e..4fff4405e8 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2546,8 +2546,8 @@ static int hls_probe(const AVProbeData *p) if (!mime_ok && !mime_x && - !av_match_ext (p->filename, "m3u8,hls,m3u") && - ff_match_url_ext(p->filename, "m3u8,hls,m3u") <= 0) { + !av_match_ext (p->filename, "m3u8,m3u") && + ff_match_url_ext(p->filename, "m3u8,m3u") <= 0) { av_log(NULL, AV_LOG_ERROR, "Not detecting m3u8/hls with non standard extension and non standard mime type\n"); return 0; } -- 2.52.0
