File _patchinfo of Package patchinfo.38144
<patchinfo incident="38144">
<issue tracker="bnc" id="1186756">VUL-1: CVE-2020-22037: ffmpeg: Denial of Service vulnerability exists due to a memory leak in avcodec_alloc_context3 at options.c</issue>
<issue tracker="bnc" id="1202848">kdenlive, missing packages</issue>
<issue tracker="bnc" id="1215945">ffmpeg-4: Build fails with current Binutils; requires 'asm' fix (15.4, 15.5, Tumbleweed)</issue>
<issue tracker="bnc" id="1229338">ffmpeg fails to build on 32bit arm</issue>
<issue tracker="bnc" id="1230983">libmfx update break ffmpeg-6</issue>
<issue tracker="bnc" id="1219494">libmfx no longer supported</issue>
<issue tracker="bnc" id="1234028">VUL-0: CVE-2024-35368: ffmpeg,ffmpeg-4: FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c.</issue>
<issue tracker="bnc" id="1235092">VUL-0: CVE-2024-36613: ffmpeg,ffmpeg-4: Integer overflow in ffmpeg</issue>
<issue tracker="bnc" id="1236007">VUL-0: CVE-2025-0518: ffmpeg,ffmpeg-4,ffmpeg-7: unchecked sscanf return value which leads to memory data leak</issue>
<issue tracker="bnc" id="1237351">VUL-0: CVE-2025-25473: ffmpeg: FFmpeg git master before commit c08d30 was discovered to contain a memory leak in avformat_free_context()</issue>
<issue tracker="bnc" id="1237358">VUL-0: CVE-2024-12361: ffmpeg: FFmpeg NULL Pointer Dereference</issue>
<issue tracker="bnc" id="1237371">VUL-0: CVE-2025-22919: ffmpeg,ffmpeg-4,ffmpeg-7: denial of service (DoS) via opening a crafted AAC file</issue>
<issue tracker="bnc" id="1237382">VUL-0: CVE-2025-22921: ffmpeg,ffmpeg-4,ffmpeg-7: segmentation violation in NULL pointer dereference via the component /libavcodec/jpeg2000dec.c</issue>
<issue tracker="cve" id="2020-22037"/>
<issue tracker="cve" id="2024-12361"/>
<issue tracker="cve" id="2024-35368"/>
<issue tracker="cve" id="2024-36613"/>
<issue tracker="cve" id="2025-0518"/>
<issue tracker="cve" id="2025-22919"/>
<issue tracker="cve" id="2025-22921"/>
<issue tracker="cve" id="2025-25473"/>
<issue tracker="jsc" id="PED-10024"/>
<packager>qzhao</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for ffmpeg-4</summary>
<description>This update for ffmpeg-4 fixes the following issues:
- CVE-2020-22037: Fixed unchecked return value of the init_vlc function (bsc#1186756)
- CVE-2024-12361: Fixed null pointer dereference (bsc#1237358)
- CVE-2024-35368: Fixed double free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c (bsc#1234028)
- CVE-2024-36613: Fixed integer overflow in the DXA demuxer of the libavformat library (bsc#1235092)
- CVE-2025-0518: Fixed memory leak due to unchecked sscanf return value (bsc#1236007)
- CVE-2025-22919: Fixed denial of service (DoS) via opening a crafted AAC file (bsc#1237371)
- CVE-2025-22921: Fixed segmentation violation in NULL pointer dereference via the component /libavcodec/jpeg2000dec.c (bsc#1237382)
- CVE-2025-25473: Fixed memory leak in avformat_free_context() (bsc#1237351)
Other fixes:
- Build with SVT-AV1 3.0.0.
- Update to release 4.4.5:
* Adjust bconds to build the package in SLFO without xvidcore.
* Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch (bsc#1229338)
* Add ffmpeg-c99.patch so that the package conforms to the C99 standard and builds on i586 with GCC 14.
* No longer build against libmfx; build against libvpl (bsc#1230983, bsc#1219494)
* Drop libmfx dependency from our product (jira #PED-10024)
* Update patch to build with glslang 14
* Disable vmaf integration as ffmpeg-4 cannot handle vmaf>=3
* Copy codec list from ffmpeg-6
* Resolve build failure with binutils >= 2.41. (bsc#1215945)
- Update to version 4.4.4:
* avcodec/012v: Order operations for odd size handling
* avcodec/alsdec: The minimal block is at least 7 bits
* avcodec/bink:
- Avoid undefined out of array end pointers in
binkb_decode_plane()
- Fix off by 1 error in ref end
* avcodec/eac3dec: avoid float noise in fixed mode addition to
overflow
* avcodec/eatgq: : Check index increments in tgq_decode_block()
* avcodec/escape124:
- Fix signdness of end of input check
- Fix some return codes
* avcodec/ffv1dec:
- Check that num h/v slices is supported
- Fail earlier if prior context is corrupted
- Restructure slice coordinate reading a bit
* avcodec/mjpegenc: take into account component count when
writing the SOF header size
* avcodec/mlpdec: Check max matrix instead of max channel in
noise check
* avcodec/motionpixels: Mask pixels to valid values
* avcodec/mpeg12dec: Check input size
* avcodec/nvenc:
- Fix b-frame DTS behavior with fractional framerates
- Fix vbv buffer size in cq mode
* avcodec/pictordec: Remove mid exit branch
* avcodec/pngdec: Check deloco index more exactly
* avcodec/rpzaenc: stop accessing out of bounds frame
* avcodec/scpr3: Check bx
* avcodec/scpr: Test bx before use
* avcodec/snowenc: Fix visual weight calculation
* avcodec/speedhq: Check buf_size to be big enough for DC
* avcodec/sunrast: Fix maplength check
* avcodec/tests/snowenc:
- Fix 2nd test
- Return a failure if DWT/IDWT mismatches
- Unbreak DWT tests
* avcodec/tiff: Ignore tile_count
* avcodec/utils:
- Allocate a line more for VC1 and WMV3
- Ensure linesize for SVQ3
- Use 32pixel alignment for bink
* avcodec/videodsp_template: Adjust pointers to avoid undefined
pointer things
* avcodec/vp3: Add missing check for av_malloc
* avcodec/wavpack:
- Avoid undefined shift in get_tail()
- Check for end of input in wv_unpack_dsd_high()
* avcodec/xpmdec: Check size before allocation to avoid
truncation
* avfilter/vf_untile: swap the chroma shift values used for plane
offsets
* avformat/id3v2: Check taglen in read_uslt()
* avformat/mov: Check samplesize and offset to avoid integer
overflow
* avformat/mxfdec: Use 64bit in remainder
* avformat/nutdec: Add check for avformat_new_stream
* avformat/replaygain: avoid undefined / negative abs
* swscale/input: Use more unsigned intermediates
* swscale/output: Bias 16bps output calculations to improve non
overflowing range
* swscale: aarch64: Fix yuv2rgb with negative stride
* Use https for repository links
- Update to version 4.4.3:
* Stable bug fix release, mainly codecs, filter and format fixes.
- Add patch to detect SDL2 >= 2.1.0 (bsc#1202848):
- Update to version 4.4.2:
* Stable bug fix release, mainly codecs, filter and format fixes.
- Add conflicts for ffmpeg-5's tools
- Enable Vulkan filters
- Fix OS version check, so nvcodec is enabled for Leap too.
- Disamble libsmbclient usage (can always be built with
--with-smbclient): the usecase of ffmpeg directly accessing
smb:// shares is quite constructed (most users will have their
smb shares mounted).
- Update to version 4.4.1:
* Stable bug fix release, mainly codecs and format fixes.
</description>
</patchinfo>
