1186761 – (CVE-2020-22042) VUL-1: CVE-2020-22042: ffmpeg: Denial of Service vulnerability exists due to a memory leak is affected by: memory leak in the link_filter_inouts function in libavfilter/graphparser.c

Bug 1186761 (CVE-2020-22042) - VUL-1: CVE-2020-22042: ffmpeg: Denial of Service vulnerability exists due to a memory leak is affected by: memory leak in the link_filter_inouts function in libavfilter/graphparser.c

Summary: VUL-1: CVE-2020-22042: ffmpeg: Denial of Service vulnerability exists due to ...

Status:	RESOLVED FIXED

Alias:	CVE-2020-22042

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/301108/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-22042:6.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-06-02 12:42 UTC by Alexander Bergmann
Modified:	2024-05-23 15:36 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2021-06-02 12:42:24 UTC

CVE-2020-22042

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak is
affected by: memory leak in the link_filter_inouts function in
libavfilter/graphparser.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22042
https://trac.ffmpeg.org/ticket/8267

Comment 1 Alynx Zhou 2021-06-03 02:52:57 UTC

This fix seems not applicable for ffmpeg 3.4.2 in SLE-15 and SLE-15-SP2?

Comment 2 Alynx Zhou 2021-06-03 02:57:14 UTC

Also - openSUSE Factory has ffmpeg 4.4, do I still need to fix this bug?

Comment 3 Gianluca Gabrielli 2021-06-03 09:17:39 UTC

Yes please, if Factory is affected we always need to submit the patch there.
Keep in mind that we allow version bump in Factory.

Comment 5 Alexander Bergmann 2021-09-22 07:22:00 UTC

(In reply to Alynx Zhou from comment #1)
> This fix seems not applicable for ffmpeg 3.4.2 in SLE-15 and SLE-15-SP2?

Hi Alynx! It is not clear to me why ffmpeg 3.4.2 is not affected by this missing free.

The new code is using the OutputFilter structure to free up 'name', 'formats', 'channel_layouts' and 'sample_rates'.

New:
>        for (j = 0; j < fg->nb_outputs; j++) {
>            OutputFilter *ofilter = fg->outputs[j];
>
>            avfilter_inout_free(&ofilter->out_tmp);
>            av_freep(&ofilter->name);
>            av_freep(&ofilter->formats);
>            av_freep(&ofilter->channel_layouts);
>            av_freep(&ofilter->sample_rates);
>            av_freep(&fg->outputs[j]);
>        }

The old code is accessing those fields directly via the 'outputs' field inside the 'FilterGraph' structure.

Old:
>        for (j = 0; j < fg->nb_outputs; j++) {
>            av_freep(&fg->outputs[j]->name);
>            av_freep(&fg->outputs[j]->formats);
>            av_freep(&fg->outputs[j]->channel_layouts);
>            av_freep(&fg->outputs[j]->sample_rates);
>            av_freep(&fg->outputs[j]);
>        }

The fix in question is adding a free for the 'out_tmp' AVFilterInOut structure. This field inside the OutputFilter structure also exists inside the old code.

A backport could look like this:

>            avfilter_inout_free(&fg->outputs[j]->out_tmp);

Comment 8 Alynx Zhou 2021-09-22 07:24:30 UTC

(In reply to Alexander Bergmann from comment #5)
> (In reply to Alynx Zhou from comment #1)
> > This fix seems not applicable for ffmpeg 3.4.2 in SLE-15 and SLE-15-SP2?
> 
> Hi Alynx! It is not clear to me why ffmpeg 3.4.2 is not affected by this
> missing free.
> 
> The new code is using the OutputFilter structure to free up 'name',
> 'formats', 'channel_layouts' and 'sample_rates'.
> 
> New:
> >        for (j = 0; j < fg->nb_outputs; j++) {
> >            OutputFilter *ofilter = fg->outputs[j];
> >
> >            avfilter_inout_free(&ofilter->out_tmp);
> >            av_freep(&ofilter->name);
> >            av_freep(&ofilter->formats);
> >            av_freep(&ofilter->channel_layouts);
> >            av_freep(&ofilter->sample_rates);
> >            av_freep(&fg->outputs[j]);
> >        }
> 
> The old code is accessing those fields directly via the 'outputs' field
> inside the 'FilterGraph' structure.
> 
> Old:
> >        for (j = 0; j < fg->nb_outputs; j++) {
> >            av_freep(&fg->outputs[j]->name);
> >            av_freep(&fg->outputs[j]->formats);
> >            av_freep(&fg->outputs[j]->channel_layouts);
> >            av_freep(&fg->outputs[j]->sample_rates);
> >            av_freep(&fg->outputs[j]);
> >        }
> 
> The fix in question is adding a free for the 'out_tmp' AVFilterInOut
> structure. This field inside the OutputFilter structure also exists inside
> the old code.
> 
> A backport could look like this:
> 
> >            avfilter_inout_free(&fg->outputs[j]->out_tmp);

OK, will try it again.

Comment 9 Alynx Zhou 2021-09-27 01:50:47 UTC

https://build.suse.de/request/show/255150
https://build.suse.de/request/show/255151

Comment 10 Alynx Zhou 2021-09-27 01:53:04 UTC

(In reply to Gianluca Gabrielli from comment #3)
> Yes please, if Factory is affected we always need to submit the patch there.
> Keep in mind that we allow version bump in Factory.

Factory is not affected because FFmpeg 4.4 already contains this fix.

Comment 11 Swamp Workflow Management 2021-10-06 19:51:44 UTC

SUSE-SU-2021:3293-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1186761
CVE References: CVE-2020-22042
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    ffmpeg-3.4.2-11.14.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    ffmpeg-3.4.2-11.14.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    ffmpeg-3.4.2-11.14.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    ffmpeg-3.4.2-11.14.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    ffmpeg-3.4.2-11.14.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    ffmpeg-3.4.2-11.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2021-10-06 20:01:58 UTC

openSUSE-SU-2021:3293-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1186761
CVE References: CVE-2020-22042
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ffmpeg-3.4.2-11.14.1

Comment 15 Swamp Workflow Management 2023-01-02 14:23:02 UTC

SUSE-SU-2023:0005-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1186756,1186761,1187852,1189166,1190718,1190719,1190722,1190723,1190726,1190729,1190733,1190734,1190735,1206442
CVE References: CVE-2020-20891,CVE-2020-20892,CVE-2020-20895,CVE-2020-20896,CVE-2020-20899,CVE-2020-20902,CVE-2020-22037,CVE-2020-22042,CVE-2020-35965,CVE-2021-3566,CVE-2021-38092,CVE-2021-38093,CVE-2021-38094,CVE-2022-3109
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE Linux Enterprise Server for SAP 15 (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE Linux Enterprise Server 15-LTSS (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE Enterprise Storage 6 (src):    ffmpeg-3.4.2-150000.4.44.1
SUSE CaaS Platform 4.0 (src):    ffmpeg-3.4.2-150000.4.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Andrea Mattiazzo 2024-05-23 15:36:02 UTC

All done, closing.