Bugzilla – Bug 1223215
VUL-0: CVE-2023-49501: ffmpeg: buffer overflow via the config_eq_output function in libavfilter/asrc_afirsrc.c
Last modified: 2024-04-26 22:16:08 UTC
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the config_eq_output function in the libavfilter/asrc_afirsrc.c:495:30 component. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49501 https://www.cve.org/CVERecord?id=CVE-2023-49501 https://github.com/FFmpeg/FFmpeg https://trac.ffmpeg.org/ticket/10686 https://trac.ffmpeg.org/ticket/10686#no1 https://bugzilla.redhat.com/show_bug.cgi?id=2276114
Affected packages: - openSUSE:Factory/ffmpeg-6
It seems like the fix for this issue are the changes applied by commit 4adb93df [0]. The function where this fix is applied (config_eq_output), however, was only introduced when the changes from commit 19148a5b [1] were introduced as well: in version 6.1 of FFmpeg. This means that versions 6.0 and earlier are not affected by this issue, as the vulnerable code is not present. [0] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/4adb93dff05dd947878c67784d98c9a4e13b57a7 [1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/19148a5b9f44bed660258a5896d1d12d77d3d9ab
This is an autogenerated message for OBS integration: This bug (1223215) was mentioned in https://build.opensuse.org/request/show/1169718 Factory / ffmpeg-6