Bug 1206778 (CVE-2022-3341) - VUL-0: CVE-2022-3341: ffmpeg-4,ffmpeg: null pointer dereference in decode_main_header() in libavformat/nutdec.c
Summary: VUL-0: CVE-2022-3341: ffmpeg-4,ffmpeg: null pointer dereference in decode_mai...
Status: RESOLVED FIXED
Alias: CVE-2022-3341
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/352111/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-3341:4.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-02 09:36 UTC by Cathy Hu
Modified: 2024-05-03 09:37 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-01-02 09:36:38 UTC
rh#2157054

An issue was discovered in the FFmpeg in decode_main_header in libavformat/nutdec.c lacks check of the return value of avformat_new_stream() and will cause the null pointer dereference.

https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2157054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3341
Comment 1 Cathy Hu 2023-01-02 09:37:05 UTC
Affected:
- SUSE:SLE-15-SP2:Update/ffmpeg           3.4.2
- SUSE:SLE-15:Update/ffmpeg               3.4.2
- SUSE:SLE-15-SP4:Update/ffmpeg-4         4.4  
- openSUSE:Backports:SLE-15-SP3/ffmpeg-4  4.4  
- openSUSE:Factory/ffmpeg-4               4.4.3
Comment 6 Swamp Workflow Management 2023-01-26 20:40:10 UTC
SUSE-SU-2023:0172-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1206778
CVE References: CVE-2022-3341
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ffmpeg-4-4.4-150400.3.11.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    ffmpeg-4-4.4-150400.3.11.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    ffmpeg-4-4.4-150400.3.11.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src):    ffmpeg-4-4.4-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2023-01-30 14:17:04 UTC
SUSE-SU-2023:0206-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1140754,1206778
CVE References: CVE-2019-13390,CVE-2022-3341
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ffmpeg-3.4.2-150200.11.25.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    ffmpeg-3.4.2-150200.11.25.1
SUSE Linux Enterprise Realtime Extension 15-SP3 (src):    ffmpeg-3.4.2-150200.11.25.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    ffmpeg-3.4.2-150200.11.25.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src):    ffmpeg-3.4.2-150200.11.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-05-05 16:30:01 UTC
SUSE-SU-2023:2115-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1140754, 1206778, 1209934
CVE References: CVE-2019-13390, CVE-2022-3341, CVE-2022-48434
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ffmpeg-3.4.2-150000.4.53.2
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ffmpeg-3.4.2-150000.4.53.2
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ffmpeg-3.4.2-150000.4.53.2
SUSE Enterprise Storage 6 (src): ffmpeg-3.4.2-150000.4.53.2
SUSE CaaS Platform 4.0 (src): ffmpeg-3.4.2-150000.4.53.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 OBSbugzilla Bot 2024-04-22 14:26:14 UTC
This is an autogenerated message for OBS integration:
This bug (1206778) was mentioned in
https://build.opensuse.org/request/show/1169676 Backports:SLE-15-SP5 / ffmpeg-4
Comment 11 OBSbugzilla Bot 2024-04-22 17:16:08 UTC
This is an autogenerated message for OBS integration:
This bug (1206778) was mentioned in
https://build.opensuse.org/request/show/1169721 Backports:SLE-15-SP5 / ffmpeg-4
Comment 12 Robert Frohl 2024-05-03 09:37:34 UTC
done, closing