Bugzilla – Bug 1206442
VUL-0: CVE-2022-3109: ffmpeg,ffmpeg-4: Null Pointer Dereference
Last modified: 2024-04-22 17:16:07 UTC
rh#2153551 [Suggested description] An issue was discovered in the FFmpeg through 3.0. vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause the null pointer dereference. ------------------------------------------ [VulnerabilityType Other] NULL Pointer Dereference ------------------------------------------ [Vendor of Product] the development group ------------------------------------------ [Affected Product Code Base] FFmpeg - 3.0 ------------------------------------------ [Reference] https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568 ------------------------------------------ [Discoverer] Jiasheng Jiang References: https://bugzilla.redhat.com/show_bug.cgi?id=2153551 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3109
Affected: - SUSE:SLE-15-SP2:Update/ffmpeg 3.4.2 - SUSE:SLE-15-SP4:Update/ffmpeg-4 4.4 - SUSE:SLE-15:Update/ffmpeg 3.4.2 - openSUSE:Backports:SLE-15-SP3/ffmpeg-4 4.4 - openSUSE:Factory/ffmpeg-4 4.4.3 Not Affected: - openSUSE:Factory/ffmpeg-5 5.1.2
Hi Alynx, can you please help to balance a bit the load of CVE, thanks.
(In reply to Yifan Jiang from comment #2) > Hi Alynx, can you please help to balance a bit the load of CVE, thanks. OK, I'll handle this soon.
https://build.opensuse.org/request/show/1044384
This is an autogenerated message for OBS integration: This bug (1206442) was mentioned in https://build.opensuse.org/request/show/1044594 Factory / ffmpeg-4
https://build.suse.de/request/show/287365 SLE-15:Update
https://build.suse.de/request/show/287366 SLE-15-SP2:Update
https://build.suse.de/request/show/287367 SLE-15-SP4:Update
SUSE-SU-2023:0008-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1206442 CVE References: CVE-2022-3109 JIRA References: Sources used: openSUSE Leap 15.4 (src): ffmpeg-4-4.4-150400.3.8.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): ffmpeg-4-4.4-150400.3.8.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): ffmpeg-4-4.4-150400.3.8.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): ffmpeg-4-4.4-150400.3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0005-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 1186756,1186761,1187852,1189166,1190718,1190719,1190722,1190723,1190726,1190729,1190733,1190734,1190735,1206442 CVE References: CVE-2020-20891,CVE-2020-20892,CVE-2020-20895,CVE-2020-20896,CVE-2020-20899,CVE-2020-20902,CVE-2020-22037,CVE-2020-22042,CVE-2020-35965,CVE-2021-3566,CVE-2021-38092,CVE-2021-38093,CVE-2021-38094,CVE-2022-3109 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise Server for SAP 15 (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise Server 15-LTSS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): ffmpeg-3.4.2-150000.4.44.1 SUSE Enterprise Storage 6 (src): ffmpeg-3.4.2-150000.4.44.1 SUSE CaaS Platform 4.0 (src): ffmpeg-3.4.2-150000.4.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0007-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1206442 CVE References: CVE-2022-3109 JIRA References: Sources used: openSUSE Leap 15.4 (src): ffmpeg-3.4.2-150200.11.20.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): ffmpeg-3.4.2-150200.11.20.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): ffmpeg-3.4.2-150200.11.20.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): ffmpeg-3.4.2-150200.11.20.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): ffmpeg-3.4.2-150200.11.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1206442) was mentioned in https://build.opensuse.org/request/show/1046436 Backports:SLE-15-SP3 / ffmpeg-4
https://build.opensuse.org/request/show/1046436 openSUSE:Backports:SLE-15-SP3:Update
https://build.opensuse.org/request/show/1046436 has been declined with "15 sp3 backports is eol", do we still need to fix it?
Ah, thanks for the submissions, no then you dont have to fix openSUSE:Backports:SLE-15-SP3:Update. Done, closing
This is an autogenerated message for OBS integration: This bug (1206442) was mentioned in https://build.opensuse.org/request/show/1169676 Backports:SLE-15-SP5 / ffmpeg-4
This is an autogenerated message for OBS integration: This bug (1206442) was mentioned in https://build.opensuse.org/request/show/1169721 Backports:SLE-15-SP5 / ffmpeg-4