#8973 closed defect (invalid)
ffmpeg dependency security bug
Reported by: | fastfading | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | undetermined |
Version: | git-master | Keywords: | |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Current ffmpeg version 4.3.1
ffmpeg version 4.3.1-static https://johnvansickle.com/ffmpeg/ Copyright (c) 2000-2020 the FFmpeg developers
built with gcc 8 (Debian 8.3.0-6)
configuration: --enable-gpl --enable-version3 --enable-static --disable-debug --disable-ffplay --disable-indev=sndio --disable-outdev=sndio --cc=gcc --enable-fontconfig --enable-frei0r --enable-gnutls --enable-gmp --enable-libgme --enable-gray --enable-libaom --enable-libfribidi --enable-libass --enable-libvmaf --enable-libfreetype --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-librubberband --enable-libsoxr --enable-libspeex --enable-libsrt --enable-libvorbis --enable-libopus --enable-libtheora --enable-libvidstab --enable-libvo-amrwbenc --enable-libvpx --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxml2 --enable-libdav1d --enable-libxvid --enable-libzvbi --enable-libzimg
depend on 3rd party
Lib Bug ID Version Latest Known Version
openjpeg CVE-2016-7163 2.3.1 2.3.1
libpng CVE-2019-7317 1.6.36 1.6.37
bzip2 CVE-2019-12900 1.0.6 1.0.8
expat CVE-2019-15903 2.2.6 2.2.10
alsa CVE-2019-13351 1.0.17
These 3rd party libs all have security bugs.
you can google CVE bug id for detail easily.
For Example https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163
Please upgrade these libs to newest version to fix that.
Change History (3)
comment:1 by , 4 years ago
Priority: | important → normal |
---|---|
Resolution: | → invalid |
Status: | new → closed |
comment:2 by , 4 years ago
for openjpeg current version and Latest version are 2.3.1
but others are upgradable.
Lib Bug ID Version Latest Known Version openjpeg CVE-2016-7163 2.3.1 2.3.1 libpng CVE-2019-7317 1.6.36 1.6.37 bzip2 CVE-2019-12900 1.0.6 1.0.8 expat CVE-2019-15903 2.2.6 2.2.10 alsa CVE-2019-13351 1.0.17
The FFmpeg project does not provide binaries at all, so you are reporting this at the wrong place. You should report this to the providers of the binaries you use; if it is actually a problem, of course. According to https://johnvansickle.com/ffmpeg/release-readme.txt they are already using libopenjpeg 2.3.1 and according to [libopenjpeg's changelog https://github.com/uclouvain/openjpeg/blob/master/CHANGELOG.md] the issue you are mentioning has been fixed in 2.1.2.