MGASA-2020-0046 - Updated ffmpeg packages fix security vulnerabilities

Publication date: 22 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0046.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-17539,
     CVE-2019-17542

Updated ffmpeg packages fix security vulnerabilities:

This update provides ffmpeg version 4.1.5, which fixes several bugs, and
atleasst the follwing security vulnerabilities:

In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL
pointer dereference and possibly unspecified other impact when there is
no valid close function pointer (CVE-2019-17539).

FFmpeg before 4.2 has a heap-based buffer overflow in vqa_decode_chunk
because of an out-of-array access in vqa_decode_init in libavcodec/
vqavideo.c (CVE-2019-17542).

References:
- https://bugs.mageia.org/show_bug.cgi?id=26072
- https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.5
- https://ffmpeg.org/download.html
- https://ffmpeg.org/security.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17539
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17542

SRPMS:
- 7/tainted/ffmpeg-4.1.5-1.mga7.tainted
- 7/core/ffmpeg-4.1.5-1.mga7