Bugzilla – Bug 1214247
VUL-0: CVE-2020-36138: ffmpeg,ffmpeg-4: NULL pointer dereference in decode_frame() in libavcodec/tiff.c
Last modified: 2023-10-23 08:21:48 UTC
CVE-2020-36138 An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36138 https://www.cve.org/CVERecord?id=CVE-2020-36138 https://github.com/FFmpeg/FFmpeg/commit/292e41ce650a7b5ca5de4ae87fff0d6a90d9fc97 https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2020-November/272001.html https://trac.ffmpeg.org/ticket/8960
Affects: - SUSE:SLE-15:Update/ffmpeg - SUSE:SLE-15-SP2:Update/ffmpeg
(In reply to Stoyan Manolov from comment #3) > Ping? SUSE:SLE-15:Update/ffmpeg and SUSE:SLE-15-SP2:Update/ffmpeg doesn't seem to be affected by this CVE. The patch mentioned in comment#0 says it's a regression since da5b3d0[1]. And that commit was created on Oct 8, 2020. However the version we're shipping in SUSE:SLE-15:Update and SUSE:SLE-15-SP2:Update is 3.4.2, which is released in February, 2018. Besides, this latest comment[2] said the issue is not really fixed. *[1] https://github.com/FFmpeg/FFmpeg/commit/da5b3d002862d1e105002a6dc1567e6551860896 *[2] https://trac.ffmpeg.org/ticket/8960#comment:8
(In reply to Carlos López from comment #1) > Affects: > - SUSE:SLE-15:Update/ffmpeg > - SUSE:SLE-15-SP2:Update/ffmpeg @Carlos Can you double check whether this issue affects these products? See my previous findings in comment#4.
(In reply to Jonathan Kang from comment #5) > (In reply to Carlos López from comment #1) > > Affects: > > - SUSE:SLE-15:Update/ffmpeg > > - SUSE:SLE-15-SP2:Update/ffmpeg > > @Carlos > > Can you double check whether this issue affects these products? See my > previous findings in comment#4. That looks right, closing.