Bug 1190721 (CVE-2020-20894) - VUL-0: CVE-2020-20894: ffmpeg: Buffer Overflow vulnerability in function gaussian_blur in libavfilter/vf_edgedetect.c
Summary: VUL-0: CVE-2020-20894: ffmpeg: Buffer Overflow vulnerability in function gaus...
Status: RESOLVED FIXED
Alias: CVE-2020-20894
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/310567/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-20894:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-21 14:01 UTC by Alexander Bergmann
Modified: 2024-06-07 12:14 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-09-21 14:01:24 UTC
CVE-2020-20894

Buffer Overflow vulnerability in function gaussian_blur in
libavfilter/vf_edgedetect.c in Ffmpeg 4.2.1, allows attackers to cause a Denial
of Service or other unspecified impacts.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-20894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20894
https://trac.ffmpeg.org/ticket/8260
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ccf4ab8c9aca0aee66bcc2914031a9c97ac0eeb8
Comment 1 Alexander Bergmann 2021-09-22 13:59:56 UTC
This commit is already present in our 3.4.2 version, but has a different CVE.

bsc#1186605 - CVE-2020-22025

We should correct the changes entry and follow up on CVE-2020-22025.
Comment 2 Alynx Zhou 2021-10-13 08:39:53 UTC
(In reply to Alexander Bergmann from comment #1)
> This commit is already present in our 3.4.2 version, but has a different CVE.
> 
> bsc#1186605 - CVE-2020-22025
> 
> We should correct the changes entry and follow up on CVE-2020-22025.

Those bugs share the same ticket number (#8260).
Comment 3 Alexander Bergmann 2022-01-11 14:34:21 UTC
We need the bug and CVE references of this bug inside the changes file so we can track that it is fixed.

Please extend the following entry with the bsc#/CVE details.

- Add ffmpeg-CVE-2020-22025.patch: Backport from upstream to fix
  a heap-based Buffer Overflow vulnerability exists in
  gaussian_blur at libavfilter/vf_edgedetect.c (bsc#1186605).
Comment 7 Alynx Zhou 2024-04-29 10:41:47 UTC
The change log has been updated and merged, it should have reference to this bug now.
Comment 8 Maintenance Automation 2024-04-29 20:30:06 UTC
SUSE-SU-2024:1468-1: An update that solves nine vulnerabilities can now be installed.

Category: security (important)
Bug References: 1190721, 1190724, 1190727, 1190728, 1190731, 1190732, 1223070, 1223235
CVE References: CVE-2020-20894, CVE-2020-20898, CVE-2020-20900, CVE-2020-20901, CVE-2021-38090, CVE-2021-38091, CVE-2021-38094, CVE-2023-49502, CVE-2024-31578
Maintenance Incident: [SUSE:Maintenance:32836](https://smelt.suse.de/incident/32836/)
Sources used:
openSUSE Leap 15.5 (src):
 ffmpeg-3.4.2-150200.11.41.1
Desktop Applications Module 15-SP5 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Package Hub 15 15-SP5 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src):
 ffmpeg-3.4.2-150200.11.41.1
SUSE Enterprise Storage 7.1 (src):
 ffmpeg-3.4.2-150200.11.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Andrea Mattiazzo 2024-06-07 12:14:06 UTC
All done, closing.