Bugzilla – Bug 1189166
VUL-0: CVE-2021-3566: ffmpeg: Exposure of sensitive information on ffmpeg version prior to 4.3
Last modified: 2023-01-02 14:23:10 UTC
Prior to ffmpeg version 4.3, the tty demuxer did not have a 'read_probe' function assigned to it. By crafting a legitimate "ffconcat" file that references an image, followed by a file the triggers the tty demuxer, the contents of the second file will be copied into the output file verbatim (as long as the `-vcodec copy` option is passed to ffmpeg). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3566 https://github.com/FFmpeg/FFmpeg/commit/3bce9e9b3ea35c54bacccc793d7da99ea5157532#diff-74f6b92a0541378ad15de9c29c0a2b0c69881ad9ffc71abe568b88b535e00a7f
Affected version: - SUSE:SLE-15-SP2:Update/ffmpeg 3.4.2 - SUSE:SLE-15:Update/ffmpeg 3.4.2 Upstream patch [0]. [0] https://github.com/FFmpeg/FFmpeg/commit/3bce9e9b3ea35c54bacccc793d7da99ea5157532.patch
Hello, Any update on this?
Alynx was working on a bulk of ffmpeg CVE before, let me put this to his queue.
SUSE-SU-2021:3521-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 1186756,1187852,1189166,1190718,1190719,1190722,1190723,1190726,1190729,1190733,1190734,1190735 CVE References: CVE-2020-20891,CVE-2020-20892,CVE-2020-20895,CVE-2020-20896,CVE-2020-20899,CVE-2020-20902,CVE-2020-22037,CVE-2020-35965,CVE-2021-3566,CVE-2021-38092,CVE-2021-38093,CVE-2021-38094 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 15-SP3 (src): ffmpeg-3.4.2-11.17.1 SUSE Linux Enterprise Workstation Extension 15-SP2 (src): ffmpeg-3.4.2-11.17.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): ffmpeg-3.4.2-11.17.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): ffmpeg-3.4.2-11.17.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): ffmpeg-3.4.2-11.17.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): ffmpeg-3.4.2-11.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3521-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 1186756,1187852,1189166,1190718,1190719,1190722,1190723,1190726,1190729,1190733,1190734,1190735 CVE References: CVE-2020-20891,CVE-2020-20892,CVE-2020-20895,CVE-2020-20896,CVE-2020-20899,CVE-2020-20902,CVE-2020-22037,CVE-2020-35965,CVE-2021-3566,CVE-2021-38092,CVE-2021-38093,CVE-2021-38094 JIRA References: Sources used: openSUSE Leap 15.3 (src): ffmpeg-3.4.2-11.17.1
https://build.suse.de/request/show/270020
Done.
SUSE-SU-2023:0005-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 1186756,1186761,1187852,1189166,1190718,1190719,1190722,1190723,1190726,1190729,1190733,1190734,1190735,1206442 CVE References: CVE-2020-20891,CVE-2020-20892,CVE-2020-20895,CVE-2020-20896,CVE-2020-20899,CVE-2020-20902,CVE-2020-22037,CVE-2020-22042,CVE-2020-35965,CVE-2021-3566,CVE-2021-38092,CVE-2021-38093,CVE-2021-38094,CVE-2022-3109 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise Server for SAP 15 (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise Server 15-LTSS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Enterprise Storage 6 (src): ffmpeg-3.4.2-150000.4.44.1 SUSE CaaS Platform 4.0 (src): ffmpeg-3.4.2-150000.4.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.