Ubuntu Security Notice 6449-1 - It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS.
30ff576e31ffb4f55aa40850734014c7fc975b5ab7b1fea8aaf260af4e227ccd
==========================================================================
Ubuntu Security Notice USN-6449-1
October 24, 2023
ffmpeg vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in FFmpeg.
Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files
Details:
It was discovered that FFmpeg incorrectly managed memory resulting
in a memory leak. An attacker could possibly use this issue to cause
a denial of service via application crash. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22038)
It was discovered that FFmpeg incorrectly handled certain input files,
leading to an integer overflow. An attacker could possibly use this issue
to cause a denial of service via application crash. This issue only
affected Ubuntu 20.04 LTS. (CVE-2020-20898, CVE-2021-38090,
CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094)
It was discovered that FFmpeg incorrectly managed memory, resulting in
a memory leak. If a user or automated system were tricked into
processing a specially crafted input file, a remote attacker could
possibly use this issue to cause a denial of service, or execute
arbitrary code. (CVE-2022-48434)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm2
libavcodec-extra 7:4.4.2-0ubuntu0.22.04.1+esm2
libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm2
libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm2
libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm2
libavfilter-extra 7:4.4.2-0ubuntu0.22.04.1+esm2
libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm2
libavfilter7 7:4.4.2-0ubuntu0.22.04.1+esm2
libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm2
libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm2
libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm2
libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm2
libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm2
libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm2
libswscale-dev 7:4.4.2-0ubuntu0.22.04.1+esm2
libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm2
Ubuntu 20.04 LTS (Available with Ubuntu Pro):
ffmpeg 7:4.2.7-0ubuntu0.1+esm3
libavcodec-extra 7:4.2.7-0ubuntu0.1+esm3
libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm3
libavcodec58 7:4.2.7-0ubuntu0.1+esm3
libavdevice58 7:4.2.7-0ubuntu0.1+esm3
libavfilter-extra 7:4.2.7-0ubuntu0.1+esm3
libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm3
libavfilter7 7:4.2.7-0ubuntu0.1+esm3
libavformat58 7:4.2.7-0ubuntu0.1+esm3
libavresample4 7:4.2.7-0ubuntu0.1+esm3
libavutil56 7:4.2.7-0ubuntu0.1+esm3
libpostproc55 7:4.2.7-0ubuntu0.1+esm3
libswresample3 7:4.2.7-0ubuntu0.1+esm3
libswscale5 7:4.2.7-0ubuntu0.1+esm3
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
ffmpeg 7:3.4.11-0ubuntu0.1+esm3
libavcodec-extra 7:3.4.11-0ubuntu0.1+esm3
libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm3
libavcodec57 7:3.4.11-0ubuntu0.1+esm3
libavdevice57 7:3.4.11-0ubuntu0.1+esm3
libavfilter-extra 7:3.4.11-0ubuntu0.1+esm3
libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm3
libavfilter6 7:3.4.11-0ubuntu0.1+esm3
libavformat57 7:3.4.11-0ubuntu0.1+esm3
libavresample3 7:3.4.11-0ubuntu0.1+esm3
libavutil55 7:3.4.11-0ubuntu0.1+esm3
libpostproc54 7:3.4.11-0ubuntu0.1+esm3
libswresample2 7:3.4.11-0ubuntu0.1+esm3
libswscale4 7:3.4.11-0ubuntu0.1+esm3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6449-1
CVE-2020-20898, CVE-2020-22038, CVE-2021-38090, CVE-2021-38091,
CVE-2021-38092, CVE-2021-38093, CVE-2021-38094, CVE-2022-48434