Ubuntu Security Notice 5958-1 - It was discovered that FFmpeg could be made to dereference a null pointer. An attacker could possibly use this to cause a denial of service via application crash. These issues only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that FFmpeg could be made to access an out-of-bounds frame by the Apple RPZA encoder. An attacker could possibly use this to cause a denial of service via application crash or access sensitive information. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.10.
b710f29c60cd37296fe80fdbacdb69f11d2246bd09c99140cec31c3ea61c73c5
==========================================================================
Ubuntu Security Notice USN-5958-1
March 16, 2023
ffmpeg vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in FFmpeg.
Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files
Details:
It was discovered that FFmpeg could be made to dereference a null
pointer. An attacker could possibly use this to cause a denial of
service via application crash. These issues only affected Ubuntu
16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. (CVE-2022-3109, CVE-2022-3341)
It was discovered that FFmpeg could be made to access an out-of-bounds
frame by the Apple RPZA encoder. An attacker could possibly use this
to cause a denial of service via application crash or access sensitive
information. This issue only affected Ubuntu 20.04 LTS and Ubuntu
22.10. (CVE-2022-3964)
It was discovered that FFmpeg could be made to access an out-of-bounds
frame by the QuickTime encoder. An attacker could possibly use this to
cause a denial of service via application crash or access sensitive
information. This issue only affected Ubuntu 22.10. (CVE-2022-3965)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
ffmpeg 7:5.1.1-1ubuntu2.1
libavcodec-extra 7:5.1.1-1ubuntu2.1
libavcodec-extra59 7:5.1.1-1ubuntu2.1
libavcodec59 7:5.1.1-1ubuntu2.1
libavdevice59 7:5.1.1-1ubuntu2.1
libavfilter-extra 7:5.1.1-1ubuntu2.1
libavfilter-extra8 7:5.1.1-1ubuntu2.1
libavfilter8 7:5.1.1-1ubuntu2.1
libavformat-extra 7:5.1.1-1ubuntu2.1
libavformat-extra59 7:5.1.1-1ubuntu2.1
libavformat59 7:5.1.1-1ubuntu2.1
libavutil57 7:5.1.1-1ubuntu2.1
libpostproc56 7:5.1.1-1ubuntu2.1
libswresample4 7:5.1.1-1ubuntu2.1
libswscale6 7:5.1.1-1ubuntu2.1
Ubuntu 22.04 LTS:
ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm1
libavcodec-extra 7:4.4.2-0ubuntu0.22.04.1+esm1
libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavfilter-extra 7:4.4.2-0ubuntu0.22.04.1+esm1
libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm1
libavfilter7 7:4.4.2-0ubuntu0.22.04.1+esm1
libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm1
libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm1
libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm1
libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm1
libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm1
libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm1
Ubuntu 20.04 LTS:
ffmpeg 7:4.2.7-0ubuntu0.1+esm1
libavcodec-extra 7:4.2.7-0ubuntu0.1+esm1
libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm1
libavcodec58 7:4.2.7-0ubuntu0.1+esm1
libavdevice58 7:4.2.7-0ubuntu0.1+esm1
libavfilter-extra 7:4.2.7-0ubuntu0.1+esm1
libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm1
libavfilter7 7:4.2.7-0ubuntu0.1+esm1
libavformat58 7:4.2.7-0ubuntu0.1+esm1
libavresample4 7:4.2.7-0ubuntu0.1+esm1
libavutil56 7:4.2.7-0ubuntu0.1+esm1
libpostproc55 7:4.2.7-0ubuntu0.1+esm1
libswresample3 7:4.2.7-0ubuntu0.1+esm1
libswscale5 7:4.2.7-0ubuntu0.1+esm1
Ubuntu 18.04 LTS:
ffmpeg 7:3.4.11-0ubuntu0.1+esm1
libavcodec-extra 7:3.4.11-0ubuntu0.1+esm1
libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm1
libavcodec57 7:3.4.11-0ubuntu0.1+esm1
libavdevice57 7:3.4.11-0ubuntu0.1+esm1
libavfilter-extra 7:3.4.11-0ubuntu0.1+esm1
libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm1
libavfilter6 7:3.4.11-0ubuntu0.1+esm1
libavformat57 7:3.4.11-0ubuntu0.1+esm1
libavresample3 7:3.4.11-0ubuntu0.1+esm1
libavutil55 7:3.4.11-0ubuntu0.1+esm1
libpostproc54 7:3.4.11-0ubuntu0.1+esm1
libswresample2 7:3.4.11-0ubuntu0.1+esm1
libswscale4 7:3.4.11-0ubuntu0.1+esm1
Ubuntu 16.04 ESM:
ffmpeg 7:2.8.17-0ubuntu0.1+esm5
libav-tools 7:2.8.17-0ubuntu0.1+esm5
libavcodec-extra 7:2.8.17-0ubuntu0.1+esm5
libavcodec-ffmpeg-extra56 7:2.8.17-0ubuntu0.1+esm5
libavcodec-ffmpeg56 7:2.8.17-0ubuntu0.1+esm5
libavdevice-ffmpeg56 7:2.8.17-0ubuntu0.1+esm5
libavfilter-ffmpeg5 7:2.8.17-0ubuntu0.1+esm5
libavformat-ffmpeg56 7:2.8.17-0ubuntu0.1+esm5
libavresample-ffmpeg2 7:2.8.17-0ubuntu0.1+esm5
libavutil-ffmpeg54 7:2.8.17-0ubuntu0.1+esm5
libpostproc-ffmpeg53 7:2.8.17-0ubuntu0.1+esm5
libswresample-ffmpeg1 7:2.8.17-0ubuntu0.1+esm5
libswscale-ffmpeg3 7:2.8.17-0ubuntu0.1+esm5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5958-1
CVE-2022-3109, CVE-2022-3341, CVE-2022-3964, CVE-2022-3965,
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/2007269
Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/7:5.1.1-1ubuntu2.1