Security update for ffmpeg

Announcement ID:	SUSE-SU-2021:2322-1
Rating:	moderate
References:	bsc#1172640 bsc#1186406 bsc#1186583 bsc#1186586 bsc#1186587 bsc#1186596 bsc#1186597 bsc#1186598 bsc#1186600 bsc#1186603 bsc#1186604 bsc#1186605 bsc#1186613 bsc#1186614 bsc#1186615 bsc#1186616 bsc#1186658 bsc#1186660 bsc#1186757 bsc#1186758 bsc#1186762 bsc#1186763
Cross-References:	CVE-2019-17539 CVE-2020-13904 CVE-2020-20448 CVE-2020-20451 CVE-2020-21041 CVE-2020-22015 CVE-2020-22016 CVE-2020-22017 CVE-2020-22019 CVE-2020-22020 CVE-2020-22021 CVE-2020-22022 CVE-2020-22023 CVE-2020-22025 CVE-2020-22026 CVE-2020-22031 CVE-2020-22032 CVE-2020-22033 CVE-2020-22034 CVE-2020-22038 CVE-2020-22039 CVE-2020-22043 CVE-2020-22044
CVSS scores:	CVE-2019-17539 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2019-17539 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-13904 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVE-2020-13904 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-20448 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-20448 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-20451 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-20451 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-21041 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-21041 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-22015 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22015 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-22016 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2020-22016 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-22017 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22017 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-22019 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22019 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22020 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22020 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22021 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22021 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22022 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22022 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-22023 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22023 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-22025 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22025 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-22026 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22026 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22031 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22031 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-22032 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22032 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-22033 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22033 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22034 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22034 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-22038 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22039 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22043 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22044 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	Desktop Applications Module 15-SP2 Desktop Applications Module 15-SP3 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Workstation Extension 15 SP2 SUSE Linux Enterprise Workstation Extension 15 SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.1 SUSE Manager Server 4.2 SUSE Package Hub 15 15-SP2 SUSE Package Hub 15 15-SP3

An update that solves 23 vulnerabilities can now be installed.

Description:

This update for ffmpeg fixes the following issues:

• CVE-2020-13904: Fixed use-after-free via a crafted EXTINF duration in an m3u8 file (bsc#1172640).
• CVE-2020-21041: Fixed buffer overflow vulnerability via apng_do_inverse_blend in libavcodec/pngenc.c (bsc#1186406).
• CVE-2019-17539: Fixed NULL pointer dereference in avcodec_open2 in libavcodec/utils.c (bsc# 1154065).
• CVE-2020-22026: Fixed buffer overflow vulnerability in config_input() at libavfilter/af_tremolo.c (bsc#1186583).
• CVE-2020-22021: Fixed buffer overflow vulnerability in filter_edges function in libavfilter/vf_yadif.c (bsc#1186586).
• CVE-2020-22020: Fixed buffer overflow vulnerability in build_diff_map() in libavfilter/vf_fieldmatch.c (bsc#1186587).
• CVE-2020-22015: Fixed buffer overflow vulnerability in mov_write_video_tag() due to the out of bounds in libavformat/movenc.c (bsc#1186596).
• CVE-2020-22016: Fixed a heap-based Buffer Overflow vulnerability at libavcodec/get_bits.h when writing .mov files (bsc#1186598).
• CVE-2020-22017: Fixed a heap-based Buffer Overflow vulnerability in ff_fill_rectangle() in libavfilter/drawutils.c (bsc#1186600).
• CVE-2020-22022: Fixed a heap-based Buffer Overflow vulnerability in filter_frame at libavfilter/vf_fieldorder.c (bsc#1186603).
• CVE-2020-22023: Fixed a heap-based Buffer Overflow vulnerability in filter_frame at libavfilter/vf_bitplanenoise.c (bsc#1186604)
• CVE-2020-22025: Fixed a heap-based Buffer Overflow vulnerability in gaussian_blur at libavfilter/vf_edgedetect.c (bsc#1186605).
• CVE-2020-22031: Fixed a heap-based Buffer Overflow vulnerability at libavfilter/vf_w3fdif.c in filter16_complex_low() (bsc#1186613).
• CVE-2020-22032: Fixed a heap-based Buffer Overflow vulnerability at libavfilter/vf_edgedetect.c in gaussian_blur() (bsc#1186614).
• CVE-2020-22034: Fixed a heap-based Buffer Overflow vulnerability at libavfilter/vf_floodfill.c (bsc#1186616).
• CVE-2020-20451: Fixed denial of service issue due to resource management errors via fftools/cmdutils.c (bsc#1186658).
• CVE-2020-20448: Fixed divide by zero issue via libavcodec/ratecontrol.c (bsc#1186660).
• CVE-2020-22038: Fixed denial of service vulnerability due to a memory leak in the ff_v4l2_m2m_create_context function in v4l2_m2m.c (bsc#1186757).
• CVE-2020-22039: Fixed denial of service vulnerability due to a memory leak in the inavi_add_ientry function (bsc#1186758).
• CVE-2020-22043: Fixed denial of service vulnerability due to a memory leak at the fifo_alloc_common function in libavutil/fifo.c (bsc#1186762).
• CVE-2020-22044: Fixed denial of service vulnerability due to a memory leak in the url_open_dyn_buf_internal function in libavformat/aviobuf.c (bsc#1186763).
• CVE-2020-22033,CVE-2020-22019: Fixed a heap-based Buffer Overflow Vulnerability at libavfilter/vf_vmafmotion.c in convolution_y_8bit() and in convolution_y_10bit() in libavfilter/vf_vmafmotion.c (bsc#1186615, bsc#1186597).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Desktop Applications Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-2322=1
• Desktop Applications Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-2322=1
• SUSE Package Hub 15 15-SP2
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-2322=1
• SUSE Package Hub 15 15-SP3
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-2322=1
• SUSE Linux Enterprise Workstation Extension 15 SP2
  zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-2322=1
• SUSE Linux Enterprise Workstation Extension 15 SP3
  zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-2322=1

Package List:

• Desktop Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • libswscale-devel-3.4.2-11.3.1
  • libpostproc-devel-3.4.2-11.3.1
  • ffmpeg-debuginfo-3.4.2-11.3.1
  • libswresample-devel-3.4.2-11.3.1
  • ffmpeg-debugsource-3.4.2-11.3.1
  • libswscale4-3.4.2-11.3.1
  • libavcodec57-debuginfo-3.4.2-11.3.1
  • libavutil-devel-3.4.2-11.3.1
  • libpostproc54-debuginfo-3.4.2-11.3.1
  • libswresample2-3.4.2-11.3.1
  • libavutil55-3.4.2-11.3.1
  • libswscale4-debuginfo-3.4.2-11.3.1
  • libavformat57-3.4.2-11.3.1
  • libavformat57-debuginfo-3.4.2-11.3.1
  • libpostproc54-3.4.2-11.3.1
  • libswresample2-debuginfo-3.4.2-11.3.1
  • libavutil55-debuginfo-3.4.2-11.3.1
  • libavcodec57-3.4.2-11.3.1
• Desktop Applications Module 15-SP3 (aarch64 ppc64le s390x x86_64)
  • libswscale-devel-3.4.2-11.3.1
  • libpostproc-devel-3.4.2-11.3.1
  • ffmpeg-debuginfo-3.4.2-11.3.1
  • libswresample-devel-3.4.2-11.3.1
  • ffmpeg-debugsource-3.4.2-11.3.1
  • libswscale4-3.4.2-11.3.1
  • libavcodec57-debuginfo-3.4.2-11.3.1
  • libavutil-devel-3.4.2-11.3.1
  • libpostproc54-debuginfo-3.4.2-11.3.1
  • libswresample2-3.4.2-11.3.1
  • libavutil55-3.4.2-11.3.1
  • libswscale4-debuginfo-3.4.2-11.3.1
  • libavformat57-3.4.2-11.3.1
  • libavformat57-debuginfo-3.4.2-11.3.1
  • libpostproc54-3.4.2-11.3.1
  • libswresample2-debuginfo-3.4.2-11.3.1
  • libavutil55-debuginfo-3.4.2-11.3.1
  • libavcodec57-3.4.2-11.3.1
• SUSE Package Hub 15 15-SP2 (aarch64 ppc64le s390x x86_64)
  • libavdevice57-debuginfo-3.4.2-11.3.1
  • libavdevice57-3.4.2-11.3.1
  • libavfilter6-debuginfo-3.4.2-11.3.1
  • ffmpeg-debuginfo-3.4.2-11.3.1
  • ffmpeg-debugsource-3.4.2-11.3.1
  • ffmpeg-3.4.2-11.3.1
  • libavfilter6-3.4.2-11.3.1
• SUSE Package Hub 15 15-SP3 (aarch64 ppc64le s390x x86_64)
  • libavdevice57-debuginfo-3.4.2-11.3.1
  • libavdevice57-3.4.2-11.3.1
  • libavfilter6-debuginfo-3.4.2-11.3.1
  • ffmpeg-debuginfo-3.4.2-11.3.1
  • ffmpeg-debugsource-3.4.2-11.3.1
  • ffmpeg-3.4.2-11.3.1
  • libavfilter6-3.4.2-11.3.1
• SUSE Linux Enterprise Workstation Extension 15 SP2 (x86_64)
  • libavcodec-devel-3.4.2-11.3.1
  • libavresample3-debuginfo-3.4.2-11.3.1
  • ffmpeg-debuginfo-3.4.2-11.3.1
  • ffmpeg-debugsource-3.4.2-11.3.1
  • libavresample-devel-3.4.2-11.3.1
  • libavformat-devel-3.4.2-11.3.1
  • libavresample3-3.4.2-11.3.1
• SUSE Linux Enterprise Workstation Extension 15 SP3 (x86_64)
  • libavcodec-devel-3.4.2-11.3.1
  • libavresample3-debuginfo-3.4.2-11.3.1
  • ffmpeg-debuginfo-3.4.2-11.3.1
  • ffmpeg-debugsource-3.4.2-11.3.1
  • libavresample-devel-3.4.2-11.3.1
  • libavformat-devel-3.4.2-11.3.1
  • libavresample3-3.4.2-11.3.1

References:

• https://www.suse.com/security/cve/CVE-2019-17539.html
• https://www.suse.com/security/cve/CVE-2020-13904.html
• https://www.suse.com/security/cve/CVE-2020-20448.html
• https://www.suse.com/security/cve/CVE-2020-20451.html
• https://www.suse.com/security/cve/CVE-2020-21041.html
• https://www.suse.com/security/cve/CVE-2020-22015.html
• https://www.suse.com/security/cve/CVE-2020-22016.html
• https://www.suse.com/security/cve/CVE-2020-22017.html
• https://www.suse.com/security/cve/CVE-2020-22019.html
• https://www.suse.com/security/cve/CVE-2020-22020.html
• https://www.suse.com/security/cve/CVE-2020-22021.html
• https://www.suse.com/security/cve/CVE-2020-22022.html
• https://www.suse.com/security/cve/CVE-2020-22023.html
• https://www.suse.com/security/cve/CVE-2020-22025.html
• https://www.suse.com/security/cve/CVE-2020-22026.html
• https://www.suse.com/security/cve/CVE-2020-22031.html
• https://www.suse.com/security/cve/CVE-2020-22032.html
• https://www.suse.com/security/cve/CVE-2020-22033.html
• https://www.suse.com/security/cve/CVE-2020-22034.html
• https://www.suse.com/security/cve/CVE-2020-22038.html
• https://www.suse.com/security/cve/CVE-2020-22039.html
• https://www.suse.com/security/cve/CVE-2020-22043.html
• https://www.suse.com/security/cve/CVE-2020-22044.html
• https://bugzilla.suse.com/show_bug.cgi?id=1172640
• https://bugzilla.suse.com/show_bug.cgi?id=1186406
• https://bugzilla.suse.com/show_bug.cgi?id=1186583
• https://bugzilla.suse.com/show_bug.cgi?id=1186586
• https://bugzilla.suse.com/show_bug.cgi?id=1186587
• https://bugzilla.suse.com/show_bug.cgi?id=1186596
• https://bugzilla.suse.com/show_bug.cgi?id=1186597
• https://bugzilla.suse.com/show_bug.cgi?id=1186598
• https://bugzilla.suse.com/show_bug.cgi?id=1186600
• https://bugzilla.suse.com/show_bug.cgi?id=1186603
• https://bugzilla.suse.com/show_bug.cgi?id=1186604
• https://bugzilla.suse.com/show_bug.cgi?id=1186605
• https://bugzilla.suse.com/show_bug.cgi?id=1186613
• https://bugzilla.suse.com/show_bug.cgi?id=1186614
• https://bugzilla.suse.com/show_bug.cgi?id=1186615
• https://bugzilla.suse.com/show_bug.cgi?id=1186616
• https://bugzilla.suse.com/show_bug.cgi?id=1186658
• https://bugzilla.suse.com/show_bug.cgi?id=1186660
• https://bugzilla.suse.com/show_bug.cgi?id=1186757
• https://bugzilla.suse.com/show_bug.cgi?id=1186758