Bug 1223215 (CVE-2023-49501)

Summary: VUL-0: CVE-2023-49501: ffmpeg: buffer overflow via the config_eq_output function in libavfilter/asrc_afirsrc.c
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: OtherAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: camila.matos
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/402757/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-49501:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-22 11:23:16 UTC 
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the config_eq_output function in the libavfilter/asrc_afirsrc.c:495:30 component.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49501
https://www.cve.org/CVERecord?id=CVE-2023-49501
https://github.com/FFmpeg/FFmpeg
https://trac.ffmpeg.org/ticket/10686
https://trac.ffmpeg.org/ticket/10686#no1
https://bugzilla.redhat.com/show_bug.cgi?id=2276114
Comment 1 Camila Camargo de Matos 2024-04-22 11:23:56 UTC 
Affected packages:
- openSUSE:Factory/ffmpeg-6
Comment 2 Camila Camargo de Matos 2024-04-22 11:28:24 UTC 
It seems like the fix for this issue are the changes applied by commit 4adb93df [0]. The function where this fix is applied (config_eq_output), however, was only introduced when the changes from commit 19148a5b [1] were introduced as well: in version 6.1 of FFmpeg. This means that versions 6.0 and earlier are not affected by this issue, as the vulnerable code is not present.

[0] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/4adb93dff05dd947878c67784d98c9a4e13b57a7
[1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/19148a5b9f44bed660258a5896d1d12d77d3d9ab
Comment 3 OBSbugzilla Bot 2024-04-22 17:16:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1223215) was mentioned in
https://build.opensuse.org/request/show/1169718 Factory / ffmpeg-6