Bug 1140754 (CVE-2019-13390) - VUL-1: CVE-2019-13390: ffmpeg: division by zero at adx_write_trailer in libavformat/rawenc.c
Summary: VUL-1: CVE-2019-13390: ffmpeg: division by zero at adx_write_trailer in libav...
Status: RESOLVED FIXED
Alias: CVE-2019-13390
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/236620/
Whiteboard: CVSSv2:SUSE:CVE-2019-13390:2.1:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-08 16:09 UTC by Alexander Bergmann
Modified: 2024-05-06 13:09 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-07-08 16:09:16 UTC
CVE-2019-13390

In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in
libavformat/rawenc.c. This may be related to two NULL pointers passed as
arguments at libavcodec/frame_thread_encoder.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13390
http://www.cvedetails.com/cve/CVE-2019-13390/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13390
https://trac.ffmpeg.org/ticket/7982
https://trac.ffmpeg.org/ticket/7981
https://trac.ffmpeg.org/ticket/7979
https://trac.ffmpeg.org/ticket/7985
https://trac.ffmpeg.org/ticket/7983
Comment 1 Alexander Bergmann 2019-07-08 16:09:43 UTC
The issue is not reproducible in SLE as we do not support the used codecs.
Comment 2 Cathy Hu 2023-01-11 15:08:40 UTC
All opensuse ffmpeg versions are over v4.2, fixed, closing.
Comment 3 Cathy Hu 2023-01-12 09:18:18 UTC
I checked again, and I think we are affected in sles, reopening:
- SUSE:SLE-15-SP2:Update/ffmpeg           3.4.2
- SUSE:SLE-15:Update/ffmpeg               3.4.2

Not Affected:
- SUSE:SLE-15-SP4:Update/ffmpeg-4         4.4  
- openSUSE:Backports:SLE-15-SP3/ffmpeg-4  4.4  
- openSUSE:Factory/ffmpeg-4               4.4.3
Comment 4 Cathy Hu 2023-01-12 09:19:06 UTC
Reassigning to gnome-bugs
Comment 5 Yifan Jiang 2023-01-13 01:37:58 UTC
Hello Alynx, could you help on the incomplete part? Thank you.
Comment 6 Alynx Zhou 2023-01-16 06:12:40 UTC
(In reply to Yifan Jiang from comment #5)
> Hello Alynx, could you help on the incomplete part? Thank you.

OK, I will handle this soon.
Comment 8 Alynx Zhou 2023-01-20 02:25:54 UTC
SR was merged.
Comment 10 Swamp Workflow Management 2023-01-30 14:16:59 UTC
SUSE-SU-2023:0206-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1140754,1206778
CVE References: CVE-2019-13390,CVE-2022-3341
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ffmpeg-3.4.2-150200.11.25.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    ffmpeg-3.4.2-150200.11.25.1
SUSE Linux Enterprise Realtime Extension 15-SP3 (src):    ffmpeg-3.4.2-150200.11.25.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    ffmpeg-3.4.2-150200.11.25.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src):    ffmpeg-3.4.2-150200.11.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-05-05 16:30:01 UTC
SUSE-SU-2023:2115-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1140754, 1206778, 1209934
CVE References: CVE-2019-13390, CVE-2022-3341, CVE-2022-48434
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ffmpeg-3.4.2-150000.4.53.2
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ffmpeg-3.4.2-150000.4.53.2
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ffmpeg-3.4.2-150000.4.53.2
SUSE Enterprise Storage 6 (src): ffmpeg-3.4.2-150000.4.53.2
SUSE CaaS Platform 4.0 (src): ffmpeg-3.4.2-150000.4.53.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Thomas Leroy 2024-05-06 13:09:14 UTC
All done, closing.