Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#8973 closed defect (invalid)

ffmpeg dependency security bug

Reported by: fastfading Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Current ffmpeg version 4.3.1
ffmpeg version 4.3.1-static https://johnvansickle.com/ffmpeg/ Copyright (c) 2000-2020 the FFmpeg developers

built with gcc 8 (Debian 8.3.0-6)
configuration: --enable-gpl --enable-version3 --enable-static --disable-debug --disable-ffplay --disable-indev=sndio --disable-outdev=sndio --cc=gcc --enable-fontconfig --enable-frei0r --enable-gnutls --enable-gmp --enable-libgme --enable-gray --enable-libaom --enable-libfribidi --enable-libass --enable-libvmaf --enable-libfreetype --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-librubberband --enable-libsoxr --enable-libspeex --enable-libsrt --enable-libvorbis --enable-libopus --enable-libtheora --enable-libvidstab --enable-libvo-amrwbenc --enable-libvpx --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxml2 --enable-libdav1d --enable-libxvid --enable-libzvbi --enable-libzimg

depend on 3rd party
Lib Bug ID Version Latest Known Version
openjpeg CVE-2016-7163 2.3.1 2.3.1
libpng CVE-2019-7317 1.6.36 1.6.37
bzip2 CVE-2019-12900 1.0.6 1.0.8
expat CVE-2019-15903 2.2.6 2.2.10
alsa CVE-2019-13351 1.0.17

These 3rd party libs all have security bugs.
you can google CVE bug id for detail easily.
For Example https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163
Please upgrade these libs to newest version to fix that.

Change History (3)

comment:1 by mkver, 4 years ago

Priority: importantnormal
Resolution: invalid
Status: newclosed

The FFmpeg project does not provide binaries at all, so you are reporting this at the wrong place. You should report this to the providers of the binaries you use; if it is actually a problem, of course. According to https://johnvansickle.com/ffmpeg/release-readme.txt they are already using libopenjpeg 2.3.1 and according to [libopenjpeg's changelog https://github.com/uclouvain/openjpeg/blob/master/CHANGELOG.md] the issue you are mentioning has been fixed in 2.1.2.

Version 0, edited 4 years ago by mkver (next)

comment:2 by fastfading, 4 years ago

for openjpeg current version and Latest version are 2.3.1
but others are upgradable.

Lib Bug  ID             Version Latest Known Version
openjpeg CVE-2016-7163  2.3.1   2.3.1
libpng   CVE-2019-7317  1.6.36  1.6.37
bzip2    CVE-2019-12900 1.0.6   1.0.8
expat    CVE-2019-15903 2.2.6   2.2.10
alsa     CVE-2019-13351 1.0.17

comment:3 by Balling, 4 years ago

Latest version are 2.3.1

Just use master.

Note: See TracTickets for help on using tickets.