[FFmpeg-trac] #8978(undetermined:new): ffmpeg dependency security bug

FFmpeg trac at avcodec.org
Thu Nov 12 09:49:31 EET 2020


#8978: ffmpeg dependency security bug
-------------------------------------+-------------------------------------
             Reporter:  fastfading   |                     Type:  defect
               Status:  new          |                 Priority:  important
            Component:               |                  Version:  git-
  undetermined                       |  master
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Current ffmpeg version 4.3.1
 ffmpeg version 4.3.1-static https://johnvansickle.com/ffmpeg/  Copyright
 (c) 2000-2020 the FFmpeg developers
   built with gcc 8 (Debian 8.3.0-6)
   configuration: --enable-gpl --enable-version3 --enable-static --disable-
 debug --disable-ffplay --disable-indev=sndio --disable-outdev=sndio
 --cc=gcc --enable-fontconfig --enable-frei0r --enable-gnutls --enable-gmp
 --enable-libgme --enable-gray --enable-libaom --enable-libfribidi
 --enable-libass --enable-libvmaf --enable-libfreetype --enable-libmp3lame
 --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg
 --enable-librubberband --enable-libsoxr --enable-libspeex --enable-libsrt
 --enable-libvorbis --enable-libopus --enable-libtheora --enable-libvidstab
 --enable-libvo-amrwbenc --enable-libvpx --enable-libwebp --enable-libx264
 --enable-libx265 --enable-libxml2 --enable-libdav1d --enable-libxvid
 --enable-libzvbi --enable-libzimg

 depend on 3rd party
 Lib             Bug ID          Version Latest Known Version
 openjpeg                CVE-2016-7163   2.3.1   2.3.1
 libpng          CVE-2019-7317   1.6.36  1.6.37
 bzip2           CVE-2019-12900  1.0.6   1.0.8
 expat           CVE-2019-15903  2.2.6   2.2.10
 alsa            CVE-2019-13351  1.0.17

 These 3rd party libs all have security bugs.
 you can google CVE bug id for detail easily.
 For Example  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163
 Please upgrade these libs to newest version to fix that.

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8978>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list