Bug 1223272 (CVE-2023-51793)

Summary: VUL-0: CVE-2023-51793: ffmpeg: heap buffer overflow in the image_copy_plane function in libavutil/imgutils.c
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: REOPENED --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: camila.matos, gnome-bugs, jengelh, yfjiang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/402766/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-51793:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-22 18:18:49 UTC 
Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane.

References:
https://ffmpeg.org/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51793
https://www.cve.org/CVERecord?id=CVE-2023-51793
https://trac.ffmpeg.org/ticket/10743
https://bugzilla.redhat.com/show_bug.cgi?id=2276114
Comment 2 Camila Camargo de Matos 2024-04-22 18:26:46 UTC 
For ffmpeg packages which include versions earlier than FFmpeg 4.4, no fix needs to be applied. That is because versions earlier than 4.4 are not affected by this vulnerability. The vulnerable code was introduced together with the changes from commit f0dd5c00 [0], which is only a part of FFmpeg starting on version 4.4

[0] https://git.videolan.org/?p=ffmpeg.git;a=commit;h=f0dd5c00cb9a1212db1a09b975072bb46b962718
Comment 4 Jan Engelhardt 2024-04-22 23:02:34 UTC 
Fix 0ecc1f0e48930723d7a467761b66850811c23e62 is included in refs/tags/6.1.1 as commit 8b8b4bdef3.

openSUSE:Factory/ffmpeg-6 already has 6.1.1.
Comment 5 Yifan Jiang 2024-04-23 02:11:08 UTC 
Cliff, can you also include this in your current ffmpeg submissions, thanks.
Comment 6 Yifan Jiang 2024-04-23 02:16:43 UTC 
We still need this bug to trace ALP, SLE and anywhere ffmpeg-4 appears.
Comment 8 OBSbugzilla Bot 2024-04-25 23:05:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1223272) was mentioned in
https://build.opensuse.org/request/show/1170214 Factory / ffmpeg-5
https://build.opensuse.org/request/show/1170215 Factory / ffmpeg-4
Comment 10 Maintenance Automation 2024-04-29 20:30:03 UTC 
SUSE-SU-2024:1470-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1223070, 1223235, 1223272
CVE References: CVE-2023-49502, CVE-2023-51793, CVE-2024-31578
Maintenance Incident: [SUSE:Maintenance:33554](https://smelt.suse.de/incident/33554/)
Sources used:
SUSE Linux Enterprise Workstation Extension 15 SP5 (src):
 ffmpeg-4-4.4-150400.3.24.1
openSUSE Leap 15.4 (src):
 ffmpeg-4-4.4-150400.3.24.1
openSUSE Leap 15.5 (src):
 ffmpeg-4-4.4-150400.3.24.1
SUSE Package Hub 15 15-SP5 (src):
 ffmpeg-4-4.4-150400.3.24.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 ffmpeg-4-4.4-150400.3.24.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 ffmpeg-4-4.4-150400.3.24.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 ffmpeg-4-4.4-150400.3.24.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 ffmpeg-4-4.4-150400.3.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 ffmpeg-4-4.4-150400.3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.