ArchLinux: 202007-4: ffmpeg: arbitrary code execution

    Date 31 Jul 2020
    95
    Posted By LinuxSecurity Advisories
    The package ffmpeg before version 2:4.3.1-1 is vulnerable to arbitrary code execution.
    Arch Linux Security Advisory ASA-202007-4
    =========================================
    
    Severity: High
    Date    : 2020-07-31
    CVE-ID  : CVE-2020-13904
    Package : ffmpeg
    Type    : arbitrary code execution
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1180
    
    Summary
    =======
    
    The package ffmpeg before version 2:4.3.1-1 is vulnerable to arbitrary
    code execution.
    
    Resolution
    ==========
    
    Upgrade to 2:4.3.1-1.
    
    # pacman -Syu "ffmpeg>=2:4.3.1-1"
    
    The problem has been fixed upstream in version 4.3.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    A use-after-free via a crafted EXTINF duration in an m3u8 file has been
    found in ffmpeg <= 4.2.3, because parse_playlist in libavformat/hls.c
    frees a pointer, and later that pointer is accessed in
    av_probe_input_format3 in libavformat/format.c
    
    Impact
    ======
    
    An attacker can execute arbitrary code on the affected host via crafted
    multimedia content.
    
    References
    ==========
    
    https://trac.ffmpeg.org/ticket/8673
    https://patchwork.ffmpeg.org/project/ffmpeg/patch/This email address is being protected from spambots. You need JavaScript enabled to view it./
    https://security.archlinux.org/CVE-2020-13904
    

    LinuxSecurity Poll

    Are you planning to use the 1Password password manager now that it is available to Linux users?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/35-are-you-planning-to-use-the-1password-password-manager-now-that-it-is-available-to-linux-users?task=poll.vote&format=json
    35
    radio
    [{"id":"122","title":"Yes","votes":"1","type":"x","order":"1","pct":25,"resources":[]},{"id":"123","title":"No ","votes":"2","type":"x","order":"2","pct":50,"resources":[]},{"id":"124","title":"Not sure at the moment","votes":"1","type":"x","order":"3","pct":25,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.