Merged requested to merge aloisklink/aports:3.17/community/ffmpeg-backport-fix-for-CVE-2022-3965 into 3.17-stable
Add patches for CVE-2022-3964 and CVE-2022-3965 for Alpine Linux 3.17.
These CVEs have been fixed in ffmpeg v6.0.0, but although they've been backported to ffmpeg's
release/v5.1 branch, there hasn't been a new 5.1.x release since 2022-09-24.
Patches taken from:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257 (Edit: taken from
I don't believe there's a PoC for those CVEs, but I've done a really basic test with the following and the patches don't seem to break anything at least:
ffmpeg -f lavfi -i testsrc=duration=10:size=1280x720:rate=30 -t 30 -map 0 -c:v smc -c:a copy example1.mov ffmpeg -f lavfi -i testsrc=duration=10:size=1280x720:rate=30 -t 30 -map 0 -c:v rpza -c:a copy example2.mov
This is my first time making a MR to Alpine Linux, so please let me know if I'm doing anything wrong!