Bug 1223254 (CVE-2023-50008)

Summary: VUL-0: CVE-2023-50008: ffmpeg,ffmpeg-4: arbitrary code execution via the av_malloc function in libavutil/mem.c
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, camila.matos, qzhao
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/402761/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-50008:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-22 12:32:34 UTC 
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the av_malloc function in libavutil/mem.c:105:9 component.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50008
https://www.cve.org/CVERecord?id=CVE-2023-50008
https://github.com/FFmpeg/FFmpeg/commit/5f87a68cf70dafeab2fb89b42e41a4c29053b89b
https://trac.ffmpeg.org/ticket/10701
https://bugzilla.redhat.com/show_bug.cgi?id=2276128
Comment 1 Cliff Zhao 2024-04-23 06:04:15 UTC 
Hi Camila
Any affected packages list?
Comment 3 Camila Camargo de Matos 2024-04-23 11:15:42 UTC 
The fixing commit for this issue, commit 5f87a68c [0], is freeing variables 'uhistogram' and 'vhistogram' in order to avoid the memory leak reported in the upstream ticket 10701 [1].

These variables, however, were not a part of the 'ColorCorrectContext' struct until the changes of commit dc34bf45 [2] were applied to FFmpeg, in version 5.0. The fix for CVE-2023-50008 will, therefore, not apply to FFmpeg versions below 5.0. Considering the nature of the fix, it is also safe to assume that FFmpeg versions 4.4 and below are not affected by the issue described by the upstream ticket 10701 [1].

[0] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/5f87a68cf70dafeab2fb89b42e41a4c29053b89b
[1] https://trac.ffmpeg.org/ticket/10701
[2] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/dc34bf45c5bf1518e9c1dae8f705e113f939da9e
Comment 4 OBSbugzilla Bot 2024-04-25 09:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1223254) was mentioned in
https://build.opensuse.org/request/show/1170119 Factory / ffmpeg-6
Comment 5 OBSbugzilla Bot 2024-04-25 23:05:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1223254) was mentioned in
https://build.opensuse.org/request/show/1170214 Factory / ffmpeg-5
Comment 7 Andrea Mattiazzo 2024-06-10 10:20:19 UTC 
All done, closing.