Detections
Analytics

openSUSE Security Update : ffmpeg-4 (openSUSE-2020-24)

high Nessus Plugin ID 132910

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for ffmpeg-4 fixes the following issues :

ffmpeg-4 was updated to version 4.0.5, fixes boo#1133153

- CVE-2019-11339: The studio profile decoder in libavcodec/mpeg4videodec.c in FFmpeg 4.0 allowed remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified. (bsc#1133153)

 - For other changes see /usr/share/doc/packages/libavcodec58/Changelog

Update to version 4.2.1 :

 - Stable bug fix release, mainly codecs and format fixes.

 - CVE-2019-15942: Conditional jump or move depends on uninitialised value' issue in h2645_parse (boo#1149839)

Update to FFmpeg 4.2 'Ada'

 - tpad filter

 - AV1 decoding support through libdav1d

 - dedot filter

 - chromashift and rgbashift filters

 - freezedetect filter

 - truehd_core bitstream filter

 - dhav demuxer

 - PCM-DVD encoder

 - GIF parser

 - vividas demuxer

 - hymt decoder

 - anlmdn filter

 - maskfun filter

 - hcom demuxer and decoder

 - ARBC decoder

 - libaribb24 based ARIB STD-B24 caption support (profiles A and C)

 - Support decoding of HEVC 4:4:4 content in nvdec and cuviddec

 - removed libndi-newtek

 - agm decoder

 - KUX demuxer

 - AV1 frame split bitstream filter

 - lscr decoder

 - lagfun filter

 - asoftclip filter

 - Support decoding of HEVC 4:4:4 content in vdpau

 - colorhold filter

 - xmedian filter

 - asr filter

 - showspatial multimedia filter

 - VP4 video decoder

 - IFV demuxer

 - derain filter

 - deesser filter

 - mov muxer writes tracks with unspecified language instead of English by default

 - added support for using clang to compile CUDA kernels

 - See /usr/share/doc/packages/ffmpeg-4/Changelog for the complete changelog.

Update to version 4.1.4

 - See /usr/share/doc/packages/ffmpeg-4/Changelog for the complete changelog.

 - Enable runtime enabling for fdkaac via
 --enable-libfdk-aac-dlopen

Update to version 4.1.3 :

 - Updates and bug fixes for codecs, filters and formats.
 [boo#1133153, boo#1133155, CVE-2019-11338, CVE-2019-11339]

Update to version 4.1.2 :

 - Updates and bug fixes for codecs, filters and formats.

Update to version 4.1.1 :

 - Various filter and codec fixes and enhancements.

 - configure: Add missing xlib dependency for VAAPI X11 code.

 - For complete changelog, see /usr/share/doc/packages/ffmpeg-4/Changelog

 - enable AV1 support on x86_64

Update ffmpeg to 4.1 :

 - Lots of filter updates as usual: deblock, tmix, aplify, fftdnoiz, aderivative, aintegral, pal75bars, pal100bars, adeclick, adeclip, lensfun (wrapper), colorconstancy, 1D LUT filter (lut1d), cue, acue, transpose_npp, amultiply, Block-Matching 3d (bm3d) denoising filter, acrossover filter, audio denoiser as afftdn filter, sinc audio filter source, chromahold, setparams, vibrance, xstack, (a)graphmonitor filter yadif_cuda filter.

 - AV1 parser

 - Support for AV1 in MP4

 - PCM VIDC decoder and encoder

 - libtensorflow backend for DNN based filters like srcnn

 - -- The following only enabled in third-party builds :

 - ATRAC9 decoder

 - AVS2 video decoder via libdavs2

 - IMM4 video decoder

 - Brooktree ProSumer video decoder

 - MatchWare Screen Capture Codec decoder

 - WinCam Motion Video decoder

 - RemotelyAnywhere Screen Capture decoder

 - AVS2 video encoder via libxavs2

 - ILBC decoder

 - SER demuxer

 - Decoding S12M timecode in H264

 - For complete changelog, see https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1

Update ffmpeg to 4.0.3 :

 - For complete changelog, see https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.0.3

 - CVE-2018-13305: Added a missing check for negative values of mqaunt variable (boo#1100345).

Solution

Update the affected ffmpeg-4 packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1100345

https://bugzilla.opensuse.org/show_bug.cgi?id=1133123

https://bugzilla.opensuse.org/show_bug.cgi?id=1133153

https://bugzilla.opensuse.org/show_bug.cgi?id=1133155

https://bugzilla.opensuse.org/show_bug.cgi?id=1149839

https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.0.3

https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1

Plugin Details

Severity: High

ID: 132910

File Name: openSUSE-2020-24.nasl

Version: 1.3

Type: local

Agent: unix

Published: 1/15/2020

Updated: 3/29/2024

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-15942

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:ffmpeg-4-debugsource, p-cpe:/a:novell:opensuse:ffmpeg-4-libavcodec-devel, p-cpe:/a:novell:opensuse:ffmpeg-4-libavdevice-devel, p-cpe:/a:novell:opensuse:ffmpeg-4-libavfilter-devel, p-cpe:/a:novell:opensuse:ffmpeg-4-libavformat-devel, p-cpe:/a:novell:opensuse:ffmpeg-4-libavresample-devel, p-cpe:/a:novell:opensuse:ffmpeg-4-libavutil-devel, p-cpe:/a:novell:opensuse:ffmpeg-4-libpostproc-devel, p-cpe:/a:novell:opensuse:ffmpeg-4-libswresample-devel, p-cpe:/a:novell:opensuse:ffmpeg-4-libswscale-devel, p-cpe:/a:novell:opensuse:ffmpeg-4-private-devel, p-cpe:/a:novell:opensuse:libavcodec58, p-cpe:/a:novell:opensuse:libavcodec58-32bit, p-cpe:/a:novell:opensuse:libavcodec58-32bit-debuginfo, p-cpe:/a:novell:opensuse:libavcodec58-debuginfo, p-cpe:/a:novell:opensuse:libavdevice58, p-cpe:/a:novell:opensuse:libavdevice58-32bit, p-cpe:/a:novell:opensuse:libavdevice58-32bit-debuginfo, p-cpe:/a:novell:opensuse:libavdevice58-debuginfo, p-cpe:/a:novell:opensuse:libavfilter7, p-cpe:/a:novell:opensuse:libavfilter7-32bit, p-cpe:/a:novell:opensuse:libavfilter7-32bit-debuginfo, p-cpe:/a:novell:opensuse:libavfilter7-debuginfo, p-cpe:/a:novell:opensuse:libavformat58, p-cpe:/a:novell:opensuse:libavformat58-32bit, p-cpe:/a:novell:opensuse:libavformat58-32bit-debuginfo, p-cpe:/a:novell:opensuse:libavformat58-debuginfo, p-cpe:/a:novell:opensuse:libavresample4, p-cpe:/a:novell:opensuse:libavresample4-32bit, p-cpe:/a:novell:opensuse:libavresample4-32bit-debuginfo, p-cpe:/a:novell:opensuse:libavresample4-debuginfo, p-cpe:/a:novell:opensuse:libavutil56, p-cpe:/a:novell:opensuse:libavutil56-32bit, p-cpe:/a:novell:opensuse:libavutil56-32bit-debuginfo, p-cpe:/a:novell:opensuse:libavutil56-debuginfo, p-cpe:/a:novell:opensuse:libpostproc55, p-cpe:/a:novell:opensuse:libpostproc55-32bit, p-cpe:/a:novell:opensuse:libpostproc55-32bit-debuginfo, p-cpe:/a:novell:opensuse:libpostproc55-debuginfo, p-cpe:/a:novell:opensuse:libswresample3, p-cpe:/a:novell:opensuse:libswresample3-32bit, p-cpe:/a:novell:opensuse:libswresample3-32bit-debuginfo, p-cpe:/a:novell:opensuse:libswresample3-debuginfo, p-cpe:/a:novell:opensuse:libswscale5, p-cpe:/a:novell:opensuse:libswscale5-32bit, p-cpe:/a:novell:opensuse:libswscale5-32bit-debuginfo, p-cpe:/a:novell:opensuse:libswscale5-debuginfo, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/13/2020

Vulnerability Publication Date: 12/12/2017

Reference Information

CVE: CVE-2017-17555, CVE-2018-13305, CVE-2019-11338, CVE-2019-11339, CVE-2019-15942