Debian Long Term Support / LTS Security Information / 2021 / Security Information -- DLA-2818-1 ffmpeg

Debian Security Advisory

DLA-2818-1 ffmpeg -- LTS security update

Date Reported:

14 Nov 2021

Affected Packages:

ffmpeg

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2020-20445, CVE-2020-20446, CVE-2020-20451, CVE-2020-20453, CVE-2020-22037, CVE-2020-22041, CVE-2020-22044, CVE-2020-22046, CVE-2020-22048, CVE-2020-22049, CVE-2020-22054, CVE-2021-38171, CVE-2021-38291.

More information:

Multiple issues have been discovered in ffmpeg - tools for transcoding, streaming and playing of multimedia files.

• CVE-2020-20445

  Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service.

• CVE-2020-20446

  Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote malicious user to cause a Denial of Service.

• CVE-2020-20451

  Denial of Service issue due to resource management errors via fftools/cmdutils.c.

• CVE-2020-20453

  Divide By Zero issue via libavcodec/aaccoder, which allows a remote malicious user to cause a Denial of Service.

• CVE-2020-22037

  A Denial of Service vulnerability due to a memory leak in avcodec_alloc_context3 at options.c

• CVE-2020-22041

  A Denial of Service vulnerability due to a memory leak in the av_buffersrc_add_frame_flags function in buffersrc.

• CVE-2020-22044

  A Denial of Service vulnerability due to a memory leak in the url_open_dyn_buf_internal function in libavformat/aviobuf.c.

• CVE-2020-22046

  A Denial of Service vulnerability due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c.

• CVE-2020-22048

  A Denial of Service vulnerability due to a memory leak in the ff_frame_pool_get function in framepool.c.

• CVE-2020-22049

  A Denial of Service vulnerability due to a memory leak in the wtvfile_open_sector function in wtvdec.c.

• CVE-2020-22054

  A Denial of Service vulnerability due to a memory leak in the av_dict_set function in dict.c.

• CVE-2021-38171

  adts_decode_extradata in libavformat/adtsenc.c does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.

• CVE-2021-38291

  Assertion failure at src/libavutil/mathematics.c, causing ffmpeg aborted is detected. In some extreme cases, like with adpcm_ms samples with an extremely high channel count, get_audio_frame_duration() may return a negative frame duration value.

  For Debian 9 stretch, these problems have been fixed in version 7:3.2.16-1+deb9u1.

  We recommend that you upgrade your ffmpeg packages.

  For the detailed security status of ffmpeg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ffmpeg

  Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS