Advisories » MGASA-2020-0046

Updated ffmpeg packages fix security vulnerabilities

Publication date: 22 Jan 2020
Modification date: 22 Jan 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-17539 , CVE-2019-17542

Description

Updated ffmpeg packages fix security vulnerabilities:

This update provides ffmpeg version 4.1.5, which fixes several bugs, and
atleasst the follwing security vulnerabilities:

In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL
pointer dereference and possibly unspecified other impact when there is
no valid close function pointer (CVE-2019-17539).

FFmpeg before 4.2 has a heap-based buffer overflow in vqa_decode_chunk
because of an out-of-array access in vqa_decode_init in libavcodec/
vqavideo.c (CVE-2019-17542).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26072
• https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.5
• http://ffmpeg.org/download.html
• http://ffmpeg.org/security.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17539
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17542

SRPMS

7/core

• ffmpeg-4.1.5-1.mga7

7/tainted

• ffmpeg-4.1.5-1.mga7.tainted