Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 504
Alerts This Week
Warning Icon 1 504

openSUSE 2018:2723-2 Low: ffmpeg DoS and Information Disclosure

opensuse
Calendar Grey September 22, 2018
Dist Opensuse Esm H88
The latest release of ffmpeg-4 addresses two minor concerns and includes guidance for applying fixes to vulnerable setups.
An update that solves two vulnerabilities and has one errata is now available.

Description

This update for ffmpeg-4 to version 4.0.2 fixes the following issues:

These security issues were fixed:

- CVE-2018-15822: The flv_write_packet function did not check for an empty

audio packet, leading to an assertion failure and DoS (bsc#1105869).

- CVE-2018-13300: An improper argument passed to the avpriv_request_sample

function may have triggered an out-of-array read while converting a

crafted AVI file to MPEG4, leading to a denial of service and possibly

an information disclosure (bsc#1100348).

These non-security issues were fixed:

- Enable webvtt encoders and decoders (boo#1092241).

- Build codec2 encoder and decoder, add libcodec2 to enable_decoders and

enable_encoders.

- Enable mpeg 1 and 2 encoders.

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2018-1004=1

Package List

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

ffmpeg-4-debugsource-4.0.2-bp150.3.3.1

ffmpeg-4-libavcodec-devel-4.0.2-bp150.3.3.1

ffmpeg-4-libavdevice-devel-4.0.2-bp150.3.3.1

ffmpeg-4-libavfilter-devel-4.0.2-bp150.3.3.1

ffmpeg-4-libavformat-devel-4.0.2-bp150.3.3.1

ffmpeg-4-libavresample-devel-4.0.2-bp150.3.3.1

ffmpeg-4-libavutil-devel-4.0.2-bp150.3.3.1

ffmpeg-4-libpostproc-devel-4.0.2-bp150.3.3.1

ffmpeg-4-libswresample-devel-4.0.2-bp150.3.3.1

ffmpeg-4-libswscale-devel-4.0.2-bp150.3.3.1

ffmpeg-4-private-devel-4.0.2-bp150.3.3.1

libavcodec58-4.0.2-bp150.3.3.1

libavcodec58-debuginfo-4.0.2-bp150.3.3.1

libavdevice58-4.0.2-bp150.3.3.1

libavdevice58-debuginfo-4.0.2-bp150.3.3.1

libavfilter7-4.0.2-bp150.3.3.1

libavfilter7-debuginfo-4.0.2-bp150.3.3.1

libavformat58-4.0.2-bp150.3.3.1

libavformat58-debuginfo-4.0.2-bp150.3.3.1

libavresample4-4.0.2-bp150.3.3.1

libavresample4-debuginfo-4.0.2-bp150.3.3.1

libavutil56-4.0.2-bp150.3.3.1

libavutil56-debuginfo-4.0.2-bp150.3.3.1

libpostproc55-4.0.2-bp150.3.3.1

libpostpro...

Read the Full Advisory

References

https://www.suse.com/security/cve/CVE-2018-13300.html

https://www.suse.com/security/cve/CVE-2018-15822.html

https://bugzilla.suse.com/1092241

https://bugzilla.suse.com/1100348

https://bugzilla.suse.com/1105869

--

Severity
low
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2018:2723-2
Rating: low
Affected Products: openSUSE Backports SLE-15 le.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.