File _patchinfo of Package patchinfo.7791
<patchinfo incident="7791">
<issue id="1064577" tracker="bnc">VUL-0: CVE-2017-15186: ffmpeg: Double free when parsing AVI file to MKV file usingffvhuff decoder</issue>
<issue id="1069407" tracker="bnc">VUL-0: CVE-2017-16840: ffmpeg: The VC-2 Video Compression encoder allows remote attackers to cause DoS (out-of-bounds read)</issue>
<issue id="1070762" tracker="bnc">VUL-0: CVE-2017-17081: ffmpeg: The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 3.4 does notproperly validate widths and heights, which allows remote attackers to cause adenial of service (integer signedness error and out-of-array</issue>
<issue id="1072366" tracker="bnc">VUL-1: CVE-2017-17555: ffmpeg: The swri_audio_convert function allows remote attackers to cause a DoS</issue>
<issue id="1078488" tracker="bnc">VUL-0: CVE-2018-6392: ffmpeg: The filter_slice function in libavfilter/vf_transpose.c in FFmpeg through 3.4.1allows remote attackers to cause a denial of service (out-of-array access) via acrafted MP4 file.</issue>
<issue id="1079368" tracker="bnc">VUL-0: CVE-2018-6621: ffmpeg: denial of service inside the decode_frame function in libavcodec/utvideodec.c</issue>
<issue id="1066428" tracker="bnc">VUL-0: CVE-2017-15672: ffmpeg: out-of-array read in slice counting</issue>
<issue id="2017-17555" tracker="cve" />
<issue id="2017-15672" tracker="cve" />
<issue id="2017-15186" tracker="cve" />
<issue id="2018-6392" tracker="cve" />
<issue id="2017-16840" tracker="cve" />
<issue id="2018-6621" tracker="cve" />
<issue id="2017-17081" tracker="cve" />
<category>security</category>
<rating>moderate</rating>
<packager>jengelh</packager>
<description>This update for ffmpeg fixes the following issues:
Updated ffmpeg to new bugfix release 3.4.2
* Fix integer overflows, multiplication overflows, undefined
shifts, and verify buffer lengths.
* avfilter/vf_transpose: Fix used plane count
[boo#1078488, CVE-2018-6392]
* avcodec/utvideodec: Fix bytes left check in decode_frame()
[boo#1079368, CVE-2018-6621]
- Enable use of libzvbi for displaying teletext subtitles.
- Fixed a DoS in swri_audio_convert() [boo#1072366, CVE-2017-17555].
Update to new bugfix release 3.4.1
* Fixed integer overflows, division by zero, illegal bit shifts
* Fixed the gmc_mmx function which failed to validate width
and height [boo#1070762, CVE-2017-17081]
* Fixed out-of-bounds in VC-2 encoder [boo#1069407, CVE-2017-16840]
* ffplay: use SDL2 audio API
- install also doc/ffserver.conf
- Update to new upstream release 3.4
* New video filters: deflicker, doublewave, lumakey, pixscope,
oscilloscope, robterts, limiter, libvmaf, unpremultiply,
tlut2, floodifll, pseudocolor, despill, convolve, vmafmotion.
* New audio filters: afir, crossfeed, surround, headphone,
superequalizer, haas.
* Some video filters with several inputs now use a common set
of options: blend, libvmaf, lut3d, overlay, psnr, ssim. They
must always be used by name.
* librsvg support for svg rasterization
* spec-compliant VP9 muxing support in MP4
* Remove the libnut and libschroedinger muxer/demuxer wrappers
* drop deprecated qtkit input device (use avfoundation instead)
* SUP/PGS subtitle muxer
* VP9 tile threading support
* KMS screen grabber
* CUDA thumbnail filter
* V4L2 mem2mem HW assisted codecs
* Rockchip MPP hardware decoding
* (Not in openSUSE builds, only original ones:)
* Gremlin Digital Video demuxer and decoder
* Additional frame format support for Interplay MVE movies
* Dolby E decoder and SMPTE 337M demuxer
* raw G.726 muxer and demuxer, left- and right-justified
* NewTek NDI input/output device
* FITS demuxer, muxer, decoder and encoder
- Fixed a double free in huffyuv [boo#1064577, CVE-2017-15186]
- Fixed an out-of-bounds in ffv1dec [boo#1066428, CVE-2017-15672]
</description>
<summary>Security update for ffmpeg</summary>
</patchinfo>
