Bug 1214247 (CVE-2020-36138)

Summary: VUL-0: CVE-2020-36138: ffmpeg,ffmpeg-4: NULL pointer dereference in decode_frame() in libavcodec/tiff.c
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Jonathan Kang <songchuan.kang>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, security-team, songchuan.kang, stoyan.manolov, yfjiang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/375165/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-36138:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-08-14 10:22:29 UTC 
CVE-2020-36138

An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version
4.3, allows remote attackers to cause a denial of service (DoS).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36138
https://www.cve.org/CVERecord?id=CVE-2020-36138
https://github.com/FFmpeg/FFmpeg/commit/292e41ce650a7b5ca5de4ae87fff0d6a90d9fc97
https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2020-November/272001.html
https://trac.ffmpeg.org/ticket/8960
Comment 1 Carlos López 2023-08-14 10:23:06 UTC 
Affects:
- SUSE:SLE-15:Update/ffmpeg
- SUSE:SLE-15-SP2:Update/ffmpeg
Comment 4 Jonathan Kang 2023-09-11 02:41:18 UTC 
(In reply to Stoyan Manolov from comment #3)
> Ping?

SUSE:SLE-15:Update/ffmpeg and SUSE:SLE-15-SP2:Update/ffmpeg doesn't seem to be affected by this CVE.

The patch mentioned in comment#0 says it's a regression since da5b3d0[1]. And that commit was created on Oct 8, 2020. However the version we're shipping in SUSE:SLE-15:Update and SUSE:SLE-15-SP2:Update is 3.4.2, which is released in February, 2018.

Besides, this latest comment[2] said the issue is not really fixed.

*[1] https://github.com/FFmpeg/FFmpeg/commit/da5b3d002862d1e105002a6dc1567e6551860896
*[2] https://trac.ffmpeg.org/ticket/8960#comment:8
Comment 5 Jonathan Kang 2023-10-23 06:08:15 UTC 
(In reply to Carlos López from comment #1)
> Affects:
> - SUSE:SLE-15:Update/ffmpeg
> - SUSE:SLE-15-SP2:Update/ffmpeg

@Carlos

Can you double check whether this issue affects these products? See my previous findings in comment#4.
Comment 6 Carlos López 2023-10-23 08:21:48 UTC 
(In reply to Jonathan Kang from comment #5)
> (In reply to Carlos López from comment #1)
> > Affects:
> > - SUSE:SLE-15:Update/ffmpeg
> > - SUSE:SLE-15-SP2:Update/ffmpeg
> 
> @Carlos
> 
> Can you double check whether this issue affects these products? See my
> previous findings in comment#4.

That looks right, closing.