Overview Details
Security update for ffmpeg

This update for ffmpeg to version 3.3 fixes several issues.

These security issues were fixed:

- CVE-2016-10190: Heap-based buffer overflow in libavformat/http.c in FFmpeg allowed remote web servers to execute arbitrary code via a negative chunk size in an HTTP response (boo#1022920)
- CVE-2016-10191: Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg allowed remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches (boo#1022921)
- CVE-2016-10192: Heap-based buffer overflow in ffserver.c in FFmpeg allowed remote attackers to execute arbitrary code by leveraging failure to check chunk size (boo#1022922)
- CVE-2017-7859: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the ff_h264_slice_context_init function in libavcodec/h264dec.c (bsc#1034183).
- CVE-2017-7862: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c (bsc#1034181).
- CVE-2017-7863: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c (boo#1034179)
- CVE-2017-7865: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c (boo#1034177)
- CVE-2017-7866: FFmpeg had an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c (boo#1034176)

These non-security issues were fixed:

- Enable ac3
- Enable mp3 decoding
- EBU R128 implementation now within ffmpeg, not relying on external library anymore
- New video filters "premultiply", "readeia608", "threshold", "midequalizer"
- Support for spherical videos
- New decoders: 16.8 and 24.0 floating point PCM, XPM
- New demuxers: MIDI Sample Dump Standard, Sample Dump eXchange demuxer
- MJPEG encoding uses Optimal Huffman tables now
- Native Opus encoder
- Support .mov with multiple sample description tables
- Removed the legacy X11 screen grabber, use XCB instead
- Removed asyncts filter (use af_aresample instead)

Fixed bugs
bnc#1034179
VUL-0: CVE-2017-7863: ffmpeg: heap-based buffer overflow (decode_frame_common function in libavcodec/pngdec.c)
bnc#1034177
VUL-0: CVE-2017-7865: ffmpeg: heap-based buffer overflow (ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c)
bnc#1034176
VUL-0: CVE-2017-7866: ffmpeg: stack-based buffer overflow (decode_zbuf function in libavcodec/pngdec.c)
bnc#1022921
VUL-0: CVE-2016-10191: ffmpeg: remote exploitaion results code execution [ 2 - libavformat/rtmppkt.c ]
bnc#1022920
VUL-0: CVE-2016-10190: ffmpeg: remote exploitaion results code execution [ 1 - libavformat/http.c ]
bnc#1022922
VUL-0: CVE-2016-10192: ffmpeg: remote exploitaion results code execution [ 3 - ffserver.c ]
bnc#1034181
VUL-0: CVE-2017-7862: ffmpeg: heap-based buffer overflow (decode_frame function in libavcodec/pictordec.c)
bnc#1034183
VUL-0: CVE-2017-7859: ffmpeg: heap-based buffer overflow (ff_h264_slice_context_init function in libavcodec/h264dec.c)
CVE-2017-7865
CVE-2017-7866
CVE-2017-7859
CVE-2017-7863
CVE-2017-7862
CVE-2016-10191
CVE-2016-10190
CVE-2016-10192
Selected Binaries
openSUSE Build Service is sponsored by
Places