USN-6430-1: FFmpeg vulnerabilities

Publication date

12 October 2023

Overview

Several security issues were fixed in FFmpeg.


Packages

  • ffmpeg - Tools for transcoding, streaming and playing of multimedia files

Details

It was discovered that FFmpeg did not properly handle certain inputs in
vf_lagfun.c, resulting in a buffer overflow vulnerability. An attacker
could possibly use this issue to cause a denial of service via application
crash. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-22024)

It was discovered that FFmpeg incorrectly managed memory in avienc.c,
resulting in a memory leak. An attacker could possibly use this issue
to cause a denial of service via application crash. (CVE-2020-22039)

It was discovered that FFmpeg incorrectly handled certain files due to a
memory leak in frame.c. An attacker could possibly use this issue to cause
a denial of service via application crash. This issue affected
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22040)

It was discovered that FFmpeg incorrectly handled certain...

It was discovered that FFmpeg did not properly handle certain inputs in
vf_lagfun.c, resulting in a buffer overflow vulnerability. An attacker
could possibly use this issue to cause a denial of service via application
crash. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-22024)

It was discovered that FFmpeg incorrectly managed memory in avienc.c,
resulting in a memory leak. An attacker could possibly use this issue
to cause a denial of service via application crash. (CVE-2020-22039)

It was discovered that FFmpeg incorrectly handled certain files due to a
memory leak in frame.c. An attacker could possibly use this issue to cause
a denial of service via application crash. This issue affected
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22040)

It was discovered that FFmpeg incorrectly handled certain files due to a
memory leak in fifo.c. An attacker could possibly use this issue to cause
a denial of service via application crash. (CVE-2020-22043)

It was discovered that FFmpeg incorrectly handled certain files due to a
memory leak in vf_tile.c. If a user or automated system were tricked into
processing a specially crafted MOV file, an attacker could possibly use
this issue to cause a denial of service. (CVE-2020-22051)

It was discovered that FFmpeg incorrectly handled certain MOV files in
timecode.c, leading to an integer overflow. An attacker could possibly
use this issue to cause a denial of service using a crafted MOV file.
This issue only affected Ubuntu 16.04 LTS. (CVE-2021-28429)


Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
20.04 focal ffmpeg –  7:4.2.7-0ubuntu0.1+esm2  
libavcodec-extra –  7:4.2.7-0ubuntu0.1+esm2  
libavcodec-extra58 –  7:4.2.7-0ubuntu0.1+esm2  
libavcodec58 –  7:4.2.7-0ubuntu0.1+esm2  
libavdevice58 –  7:4.2.7-0ubuntu0.1+esm2  
libavfilter-extra –  7:4.2.7-0ubuntu0.1+esm2  
libavfilter-extra7 –  7:4.2.7-0ubuntu0.1+esm2  
libavfilter7 –  7:4.2.7-0ubuntu0.1+esm2  
libavformat58 –  7:4.2.7-0ubuntu0.1+esm2  
libavresample4 –  7:4.2.7-0ubuntu0.1+esm2  
libavutil56 –  7:4.2.7-0ubuntu0.1+esm2  
libpostproc55 –  7:4.2.7-0ubuntu0.1+esm2  
libswresample3 –  7:4.2.7-0ubuntu0.1+esm2  
libswscale5 –  7:4.2.7-0ubuntu0.1+esm2  
18.04 bionic ffmpeg –  7:3.4.11-0ubuntu0.1+esm2  
libavcodec-extra –  7:3.4.11-0ubuntu0.1+esm2  
libavcodec-extra57 –  7:3.4.11-0ubuntu0.1+esm2  
libavcodec57 –  7:3.4.11-0ubuntu0.1+esm2  
libavdevice57 –  7:3.4.11-0ubuntu0.1+esm2  
libavfilter-extra –  7:3.4.11-0ubuntu0.1+esm2  
libavfilter-extra6 –  7:3.4.11-0ubuntu0.1+esm2  
libavfilter6 –  7:3.4.11-0ubuntu0.1+esm2  
libavformat57 –  7:3.4.11-0ubuntu0.1+esm2  
libavresample3 –  7:3.4.11-0ubuntu0.1+esm2  
libavutil55 –  7:3.4.11-0ubuntu0.1+esm2  
libpostproc54 –  7:3.4.11-0ubuntu0.1+esm2  
libswresample2 –  7:3.4.11-0ubuntu0.1+esm2  
libswscale4 –  7:3.4.11-0ubuntu0.1+esm2  
16.04 xenial ffmpeg –  7:2.8.17-0ubuntu0.1+esm6  
libav-tools –  7:2.8.17-0ubuntu0.1+esm6  
libavcodec-extra –  7:2.8.17-0ubuntu0.1+esm6  
libavcodec-ffmpeg-extra56 –  7:2.8.17-0ubuntu0.1+esm6  
libavcodec-ffmpeg56 –  7:2.8.17-0ubuntu0.1+esm6  
libavdevice-ffmpeg56 –  7:2.8.17-0ubuntu0.1+esm6  
libavfilter-ffmpeg5 –  7:2.8.17-0ubuntu0.1+esm6  
libavformat-ffmpeg56 –  7:2.8.17-0ubuntu0.1+esm6  
libavresample-ffmpeg2 –  7:2.8.17-0ubuntu0.1+esm6  
libavutil-ffmpeg54 –  7:2.8.17-0ubuntu0.1+esm6  
libpostproc-ffmpeg53 –  7:2.8.17-0ubuntu0.1+esm6  
libswresample-ffmpeg1 –  7:2.8.17-0ubuntu0.1+esm6  
libswscale-ffmpeg3 –  7:2.8.17-0ubuntu0.1+esm6  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›