Bug 1186862 (CVE-2020-22051)

Summary: VUL-1: CVE-2020-22051: ffmpeg: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the filter_frame function in vf_tile.c.
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: E-mail List <gnome-bugs>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/301156/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2021-06-04 12:26:49 UTC
A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in
the filter_frame function in vf_tile.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22051
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=673fce6d40d9a594fb7a0ea17d296b7d3d9ea856
https://trac.ffmpeg.org/ticket/8313
Comment 1 Gianluca Gabrielli 2021-06-04 12:28:31 UTC
The following packages don't implement the affected function `static av_cold void uninit(AVFilterContext *ctx)`:
 - SUSE:SLE-15-SP2:Update/ffmpeg   3.4.2
 - SUSE:SLE-15:Update/ffmpeg       3.4.2

The following package is already patched:
 - openSUSE:Factory/ffmpeg-4       4.4