Bugzilla – Bug 1189724
VUL-0: CVE-2021-38171: ffmpeg: adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value
Last modified: 2024-04-22 17:16:02 UTC
adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38171 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38171 https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6 http://www.cvedetails.com/cve/CVE-2021-38171/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/AS8P193MB12542A86E22F8207EC971930B6F19@AS8P193MB1254.EURP193.PROD.OUTLOOK.COM/
Affected packages: - SUSE:SLE-15-SP2:Update/ffmpeg 3.4.2 - SUSE:SLE-15:Update/ffmpeg 3.4.2 - openSUSE:Factory/ffmpeg-4 4.4 Upstream patch [0]. [0] https://github.com/FFmpeg/FFmpeg/commit/9ffa494
https://build.opensuse.org/request/show/914527 SR for multimedia:libs / ffmpeg-4
https://build.suse.de/request/show/249074 SR for SUSE:SLE-15-SP2:Update / ffmpeg
https://build.suse.de/request/show/249075 SR for SUSE:SLE-15:Update / ffmpeg
https://build.suse.de/request/show/249279 fixed conflict for SLE-15-SP2
https://build.suse.de/request/show/249280 fixed conflict for SLE-15
SUSE-SU-2021:3193-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1189724 CVE References: CVE-2021-38171 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 15-SP3 (src): ffmpeg-3.4.2-11.11.1 SUSE Linux Enterprise Workstation Extension 15-SP2 (src): ffmpeg-3.4.2-11.11.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): ffmpeg-3.4.2-11.11.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): ffmpeg-3.4.2-11.11.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): ffmpeg-3.4.2-11.11.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): ffmpeg-3.4.2-11.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3193-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1189724 CVE References: CVE-2021-38171 JIRA References: Sources used: openSUSE Leap 15.3 (src): ffmpeg-3.4.2-11.11.1
SUSE-SU-2021:3212-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1189724 CVE References: CVE-2021-38171 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): ffmpeg-3.4.2-4.37.1 SUSE Linux Enterprise Server for SAP 15 (src): ffmpeg-3.4.2-4.37.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): ffmpeg-3.4.2-4.37.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): ffmpeg-3.4.2-4.37.1 SUSE Linux Enterprise Server 15-LTSS (src): ffmpeg-3.4.2-4.37.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): ffmpeg-3.4.2-4.37.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): ffmpeg-3.4.2-4.37.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): ffmpeg-3.4.2-4.37.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): ffmpeg-3.4.2-4.37.1 SUSE Enterprise Storage 6 (src): ffmpeg-3.4.2-4.37.1 SUSE CaaS Platform 4.0 (src): ffmpeg-3.4.2-4.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.
This is an autogenerated message for OBS integration: This bug (1189724) was mentioned in https://build.opensuse.org/request/show/1169676 Backports:SLE-15-SP5 / ffmpeg-4
This is an autogenerated message for OBS integration: This bug (1189724) was mentioned in https://build.opensuse.org/request/show/1169721 Backports:SLE-15-SP5 / ffmpeg-4