openSUSE Security Update : ffmpeg-4 (openSUSE-2020-24)

high Nessus Plugin ID 132910

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for ffmpeg-4 fixes the following issues :

ffmpeg-4 was updated to version 4.0.5, fixes boo#1133153

- CVE-2019-11339: The studio profile decoder in libavcodec/mpeg4videodec.c in FFmpeg 4.0 allowed remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified. (bsc#1133153)

- For other changes see /usr/share/doc/packages/libavcodec58/Changelog

Update to version 4.2.1 :

- Stable bug fix release, mainly codecs and format fixes.

- CVE-2019-15942: Conditional jump or move depends on uninitialised value' issue in h2645_parse (boo#1149839)

Update to FFmpeg 4.2 'Ada'

- tpad filter

- AV1 decoding support through libdav1d

- dedot filter

- chromashift and rgbashift filters

- freezedetect filter

- truehd_core bitstream filter

- dhav demuxer

- PCM-DVD encoder

- GIF parser

- vividas demuxer

- hymt decoder

- anlmdn filter

- maskfun filter

- hcom demuxer and decoder

- ARBC decoder

- libaribb24 based ARIB STD-B24 caption support (profiles A and C)

- Support decoding of HEVC 4:4:4 content in nvdec and cuviddec

- removed libndi-newtek

- agm decoder

- KUX demuxer

- AV1 frame split bitstream filter

- lscr decoder

- lagfun filter

- asoftclip filter

- Support decoding of HEVC 4:4:4 content in vdpau

- colorhold filter

- xmedian filter

- asr filter

- showspatial multimedia filter

- VP4 video decoder

- IFV demuxer

- derain filter

- deesser filter

- mov muxer writes tracks with unspecified language instead of English by default

- added support for using clang to compile CUDA kernels

- See /usr/share/doc/packages/ffmpeg-4/Changelog for the complete changelog.

Update to version 4.1.4

- See /usr/share/doc/packages/ffmpeg-4/Changelog for the complete changelog.

- Enable runtime enabling for fdkaac via
--enable-libfdk-aac-dlopen

Update to version 4.1.3 :

- Updates and bug fixes for codecs, filters and formats.
[boo#1133153, boo#1133155, CVE-2019-11338, CVE-2019-11339]

Update to version 4.1.2 :

- Updates and bug fixes for codecs, filters and formats.

Update to version 4.1.1 :

- Various filter and codec fixes and enhancements.

- configure: Add missing xlib dependency for VAAPI X11 code.

- For complete changelog, see /usr/share/doc/packages/ffmpeg-4/Changelog

- enable AV1 support on x86_64

Update ffmpeg to 4.1 :

- Lots of filter updates as usual: deblock, tmix, aplify, fftdnoiz, aderivative, aintegral, pal75bars, pal100bars, adeclick, adeclip, lensfun (wrapper), colorconstancy, 1D LUT filter (lut1d), cue, acue, transpose_npp, amultiply, Block-Matching 3d (bm3d) denoising filter, acrossover filter, audio denoiser as afftdn filter, sinc audio filter source, chromahold, setparams, vibrance, xstack, (a)graphmonitor filter yadif_cuda filter.

- AV1 parser

- Support for AV1 in MP4

- PCM VIDC decoder and encoder

- libtensorflow backend for DNN based filters like srcnn

- -- The following only enabled in third-party builds :

- ATRAC9 decoder

- AVS2 video decoder via libdavs2

- IMM4 video decoder

- Brooktree ProSumer video decoder

- MatchWare Screen Capture Codec decoder

- WinCam Motion Video decoder

- RemotelyAnywhere Screen Capture decoder

- AVS2 video encoder via libxavs2

- ILBC decoder

- SER demuxer

- Decoding S12M timecode in H264

- For complete changelog, see https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1

Update ffmpeg to 4.0.3 :

- For complete changelog, see https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.0.3

- CVE-2018-13305: Added a missing check for negative values of mqaunt variable (boo#1100345).

Solution

Update the affected ffmpeg-4 packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1100345

https://bugzilla.opensuse.org/show_bug.cgi?id=1133123

https://bugzilla.opensuse.org/show_bug.cgi?id=1133153

https://bugzilla.opensuse.org/show_bug.cgi?id=1133155

https://bugzilla.opensuse.org/show_bug.cgi?id=1149839

https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.0.3

https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1

Plugin Details

Severity: High

ID: 132910

File Name: openSUSE-2020-24.nasl

Version: 1.3

Type: local

Agent: unix

Published: 1/15/2020

Updated: 3/29/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-15942

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:ffmpeg-4-libswresample-devel, cpe:/o:novell:opensuse:15.1, p-cpe:/a:novell:opensuse:libpostproc55, p-cpe:/a:novell:opensuse:libavresample4-32bit, p-cpe:/a:novell:opensuse:libavformat58-32bit-debuginfo, p-cpe:/a:novell:opensuse:libswresample3-32bit, p-cpe:/a:novell:opensuse:ffmpeg-4-libavfilter-devel, p-cpe:/a:novell:opensuse:libavfilter7-debuginfo, p-cpe:/a:novell:opensuse:libswscale5, p-cpe:/a:novell:opensuse:libavresample4-debuginfo, p-cpe:/a:novell:opensuse:ffmpeg-4-libavresample-devel, p-cpe:/a:novell:opensuse:libavcodec58-32bit, p-cpe:/a:novell:opensuse:ffmpeg-4-libavutil-devel, p-cpe:/a:novell:opensuse:libavcodec58-debuginfo, p-cpe:/a:novell:opensuse:libavdevice58-32bit-debuginfo, p-cpe:/a:novell:opensuse:ffmpeg-4-private-devel, p-cpe:/a:novell:opensuse:libavresample4, p-cpe:/a:novell:opensuse:libswscale5-32bit-debuginfo, p-cpe:/a:novell:opensuse:ffmpeg-4-libavdevice-devel, p-cpe:/a:novell:opensuse:libavutil56, p-cpe:/a:novell:opensuse:libpostproc55-32bit-debuginfo, p-cpe:/a:novell:opensuse:libpostproc55-32bit, p-cpe:/a:novell:opensuse:libavfilter7-32bit, p-cpe:/a:novell:opensuse:libavformat58, p-cpe:/a:novell:opensuse:libpostproc55-debuginfo, p-cpe:/a:novell:opensuse:libavfilter7, p-cpe:/a:novell:opensuse:libavcodec58, p-cpe:/a:novell:opensuse:libavutil56-debuginfo, p-cpe:/a:novell:opensuse:libavformat58-debuginfo, p-cpe:/a:novell:opensuse:ffmpeg-4-libavformat-devel, p-cpe:/a:novell:opensuse:libswscale5-32bit, p-cpe:/a:novell:opensuse:libavformat58-32bit, p-cpe:/a:novell:opensuse:libavdevice58-debuginfo, p-cpe:/a:novell:opensuse:libswresample3, p-cpe:/a:novell:opensuse:ffmpeg-4-debugsource, p-cpe:/a:novell:opensuse:libswresample3-32bit-debuginfo, p-cpe:/a:novell:opensuse:libavfilter7-32bit-debuginfo, p-cpe:/a:novell:opensuse:libswscale5-debuginfo, p-cpe:/a:novell:opensuse:ffmpeg-4-libswscale-devel, p-cpe:/a:novell:opensuse:libswresample3-debuginfo, p-cpe:/a:novell:opensuse:libavcodec58-32bit-debuginfo, p-cpe:/a:novell:opensuse:libavdevice58, p-cpe:/a:novell:opensuse:ffmpeg-4-libavcodec-devel, p-cpe:/a:novell:opensuse:libavresample4-32bit-debuginfo, p-cpe:/a:novell:opensuse:libavdevice58-32bit, p-cpe:/a:novell:opensuse:libavutil56-32bit, p-cpe:/a:novell:opensuse:libavutil56-32bit-debuginfo, p-cpe:/a:novell:opensuse:ffmpeg-4-libpostproc-devel

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/13/2020

Vulnerability Publication Date: 12/12/2017

Reference Information

CVE: CVE-2017-17555, CVE-2018-13305, CVE-2019-11338, CVE-2019-11339, CVE-2019-15942