[3.17] community/ffmpeg: fix CVE-2022-3964, CVE-2022-3965 (!45322) · Merge requests · alpine / aports

Alois Klink requested to merge aloisklink/aports:3.17/community/ffmpeg-backport-fix-for-CVE-2022-3965 into 3.17-stable Mar 22, 2023

Add patches for CVE-2022-3964 and CVE-2022-3965 for Alpine Linux 3.17.

These CVEs have been fixed in ffmpeg v6.0.0, but although they've been backported to ffmpeg's release/v5.1 branch, there hasn't been a new 5.1.x release since 2022-09-24.

Patches taken from:

https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/13c13109759090b7f7182480d075e13b36ed8edd
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257 (Edit: taken from release/v5.1 branch)

I don't believe there's a PoC for those CVEs, but I've done a really basic test with the following and the patches don't seem to break anything at least:

ffmpeg -f lavfi -i testsrc=duration=10:size=1280x720:rate=30 -t 30 -map 0 -c:v smc -c:a copy example1.mov
ffmpeg -f lavfi -i testsrc=duration=10:size=1280x720:rate=30 -t 30 -map 0 -c:v rpza -c:a copy example2.mov

This is my first time making a MR to Alpine Linux, so please let me know if I'm doing anything wrong!

Edited Mar 22, 2023 by Alois Klink

[3.17] community/ffmpeg: fix CVE-2022-3964, CVE-2022-3965

Merge request reports