USN-5958-1: FFmpeg vulnerabilities
Severity
Medium
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 18.04
- Canonical Ubuntu 22.04
Description
It was discovered that FFmpeg could be made to dereference a null pointer. An attacker could possibly use this to cause a denial of service via application crash. These issues only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-3109, CVE-2022-3341) It was discovered that FFmpeg could be made to access an out-of-bounds frame by the Apple RPZA encoder. An attacker could possibly use this to cause a denial of service via application crash or access sensitive information. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.10. (CVE-2022-3964) It was discovered that FFmpeg could be made to access an out-of-bounds frame by the QuickTime encoder. An attacker could possibly use this to cause a denial of service via application crash or access sensitive information. This issue only affected Ubuntu 22.10. (CVE-2022-3965) Update Instructions: Run `sudo pro fix USN-5958-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libavresample-dev – 7:2.8.17-0ubuntu0.1+esm5 libswresample-ffmpeg1 – 7:2.8.17-0ubuntu0.1+esm5 libavresample-ffmpeg2 – 7:2.8.17-0ubuntu0.1+esm5 libavcodec-extra – 7:2.8.17-0ubuntu0.1+esm5 libswscale-ffmpeg3 – 7:2.8.17-0ubuntu0.1+esm5 libavcodec-dev – 7:2.8.17-0ubuntu0.1+esm5 libavutil-dev – 7:2.8.17-0ubuntu0.1+esm5 libavfilter-ffmpeg5 – 7:2.8.17-0ubuntu0.1+esm5 libpostproc-ffmpeg53 – 7:2.8.17-0ubuntu0.1+esm5 libavcodec-ffmpeg56 – 7:2.8.17-0ubuntu0.1+esm5 libswscale-dev – 7:2.8.17-0ubuntu0.1+esm5 libavformat-ffmpeg56 – 7:2.8.17-0ubuntu0.1+esm5 libswresample-dev – 7:2.8.17-0ubuntu0.1+esm5 libavdevice-dev – 7:2.8.17-0ubuntu0.1+esm5 libavcodec-ffmpeg-extra56 – 7:2.8.17-0ubuntu0.1+esm5 libavfilter-dev – 7:2.8.17-0ubuntu0.1+esm5 libpostproc-dev – 7:2.8.17-0ubuntu0.1+esm5 libavformat-dev – 7:2.8.17-0ubuntu0.1+esm5 ffmpeg – 7:2.8.17-0ubuntu0.1+esm5 libavutil-ffmpeg54 – 7:2.8.17-0ubuntu0.1+esm5 ffmpeg-doc – 7:2.8.17-0ubuntu0.1+esm5 libav-tools – 7:2.8.17-0ubuntu0.1+esm5 libavdevice-ffmpeg56 – 7:2.8.17-0ubuntu0.1+esm5 Available with Ubuntu Pro: https://ubuntu.com/pro
CVEs contained in this USN include: CVE-2022-3109, CVE-2022-3341, CVE-2022-3964, CVE-2022-3965.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- cflinuxfs3
- All versions
- cflinuxfs4
- All versions
- CF Deployment
- All versions
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
- cflinuxfs3
- There are no fixed versions of this product
- cflinuxfs4
- There are no fixed versions of this product
- CF Deployment
- There are no fixed versions of this product
History
2023-05-25: Initial vulnerability report published.