Security update for ffmpeg

Announcement ID:	SUSE-SU-2021:2919-1
Rating:	important
References:	bsc#1129714 bsc#1186849 bsc#1186859 bsc#1186861 bsc#1186863 bsc#1189142 bsc#1189348 bsc#1189350
Cross-References:	CVE-2019-9721 CVE-2020-21688 CVE-2020-21697 CVE-2020-22046 CVE-2020-22048 CVE-2020-22049 CVE-2020-22054 CVE-2021-38114
CVSS scores:	CVE-2019-9721 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2019-9721 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-9721 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-21688 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-21688 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-21697 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-21697 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22046 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-22046 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22048 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-22048 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22049 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-22049 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22054 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-22054 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-38114 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2021-38114 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	Desktop Applications Module 15-SP2 Desktop Applications Module 15-SP3 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Workstation Extension 15 SP2 SUSE Linux Enterprise Workstation Extension 15 SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.1 SUSE Manager Server 4.2 SUSE Package Hub 15 15-SP2 SUSE Package Hub 15 15-SP3

An update that solves eight vulnerabilities can now be installed.

Description:

This update for ffmpeg fixes the following issues:

• CVE-2019-9721: Fix denial of service in the subtitle decoder in handle_open_brace from libavcodec/htmlsubtitles.c (bsc#1129714).
• CVE-2020-22046: Fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c (bsc#1186849).
• CVE-2020-22048: Fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the ff_frame_pool_get function in framepool.c (bsc#1186859).
• CVE-2020-22049: Fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the wtvfile_open_sector function in wtvdec.c (bsc#1186861).
• CVE-2020-22054: Fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the av_dict_set function in dict.c (bsc#1186863).
• CVE-2020-21688: Fixed a heap-use-after-free in the av_freep function in libavutil/mem.c (bsc#1189348).
• CVE-2020-21697: Fixed a heap-use-after-free in the mpeg_mux_write_packet function in libavformat/mpegenc.c (bsc#1189350).
• CVE-2021-38114: Fixed a not checked return value of the init_vlc function (bsc#1189142).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Desktop Applications Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-2919=1
• Desktop Applications Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-2919=1
• SUSE Package Hub 15 15-SP2
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-2919=1
• SUSE Package Hub 15 15-SP3
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-2919=1
• SUSE Linux Enterprise Workstation Extension 15 SP2
  zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-2919=1
• SUSE Linux Enterprise Workstation Extension 15 SP3
  zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-2919=1

Package List:

• Desktop Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • libswscale4-debuginfo-3.4.2-11.8.2
  • libavformat57-3.4.2-11.8.2
  • libpostproc-devel-3.4.2-11.8.2
  • libpostproc54-3.4.2-11.8.2
  • libswresample2-debuginfo-3.4.2-11.8.2
  • libavformat57-debuginfo-3.4.2-11.8.2
  • libswscale4-3.4.2-11.8.2
  • ffmpeg-debugsource-3.4.2-11.8.2
  • libavcodec57-debuginfo-3.4.2-11.8.2
  • libavcodec57-3.4.2-11.8.2
  • libpostproc54-debuginfo-3.4.2-11.8.2
  • libswscale-devel-3.4.2-11.8.2
  • libswresample-devel-3.4.2-11.8.2
  • libavutil-devel-3.4.2-11.8.2
  • libavutil55-3.4.2-11.8.2
  • libswresample2-3.4.2-11.8.2
  • ffmpeg-debuginfo-3.4.2-11.8.2
  • libavutil55-debuginfo-3.4.2-11.8.2
• Desktop Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64 i586)
  • libavresample3-3.4.2-11.8.2
  • libavresample-devel-3.4.2-11.8.2
  • libavresample3-debuginfo-3.4.2-11.8.2
• Desktop Applications Module 15-SP2 (x86_64)
  • libavresample3-32bit-debuginfo-3.4.2-11.8.2
  • libavresample3-32bit-3.4.2-11.8.2
• Desktop Applications Module 15-SP3 (aarch64 ppc64le s390x x86_64)
  • libswscale4-debuginfo-3.4.2-11.8.2
  • libavformat57-3.4.2-11.8.2
  • libavresample3-3.4.2-11.8.2
  • libswresample2-3.4.2-11.8.2
  • libavformat57-debuginfo-3.4.2-11.8.2
  • libswresample-devel-3.4.2-11.8.2
  • libpostproc54-3.4.2-11.8.2
  • libswresample2-debuginfo-3.4.2-11.8.2
  • libpostproc-devel-3.4.2-11.8.2
  • ffmpeg-debugsource-3.4.2-11.8.2
  • libavcodec57-debuginfo-3.4.2-11.8.2
  • libavcodec57-3.4.2-11.8.2
  • libavutil-devel-3.4.2-11.8.2
  • ffmpeg-debuginfo-3.4.2-11.8.2
  • libswscale-devel-3.4.2-11.8.2
  • libavresample-devel-3.4.2-11.8.2
  • libswscale4-3.4.2-11.8.2
  • libavresample3-debuginfo-3.4.2-11.8.2
  • libpostproc54-debuginfo-3.4.2-11.8.2
  • libavutil55-3.4.2-11.8.2
  • libavutil55-debuginfo-3.4.2-11.8.2
• Desktop Applications Module 15-SP3 (aarch64_ilp32)
  • libavresample3-64bit-3.4.2-11.8.2
  • libavresample3-64bit-debuginfo-3.4.2-11.8.2
• SUSE Package Hub 15 15-SP2 (aarch64 ppc64le s390x x86_64)
  • ffmpeg-3.4.2-11.8.2
  • libavdevice57-debuginfo-3.4.2-11.8.2
  • ffmpeg-debugsource-3.4.2-11.8.2
  • libavfilter6-debuginfo-3.4.2-11.8.2
  • ffmpeg-debuginfo-3.4.2-11.8.2
  • libavdevice57-3.4.2-11.8.2
  • libavfilter6-3.4.2-11.8.2
• SUSE Package Hub 15 15-SP3 (aarch64 ppc64le s390x x86_64)
  • ffmpeg-3.4.2-11.8.2
  • libavdevice57-debuginfo-3.4.2-11.8.2
  • ffmpeg-debugsource-3.4.2-11.8.2
  • libavfilter6-debuginfo-3.4.2-11.8.2
  • ffmpeg-debuginfo-3.4.2-11.8.2
  • libavdevice57-3.4.2-11.8.2
  • libavfilter6-3.4.2-11.8.2
• SUSE Linux Enterprise Workstation Extension 15 SP2 (x86_64)
  • libavresample-devel-3.4.2-11.8.2
  • libavresample3-3.4.2-11.8.2
  • ffmpeg-debugsource-3.4.2-11.8.2
  • libavresample3-debuginfo-3.4.2-11.8.2
  • ffmpeg-debuginfo-3.4.2-11.8.2
  • libavformat-devel-3.4.2-11.8.2
  • libavcodec-devel-3.4.2-11.8.2
• SUSE Linux Enterprise Workstation Extension 15 SP3 (x86_64)
  • libavresample-devel-3.4.2-11.8.2
  • libavresample3-3.4.2-11.8.2
  • ffmpeg-debugsource-3.4.2-11.8.2
  • libavresample3-debuginfo-3.4.2-11.8.2
  • ffmpeg-debuginfo-3.4.2-11.8.2
  • libavformat-devel-3.4.2-11.8.2
  • libavcodec-devel-3.4.2-11.8.2

References:

• https://www.suse.com/security/cve/CVE-2019-9721.html
• https://www.suse.com/security/cve/CVE-2020-21688.html
• https://www.suse.com/security/cve/CVE-2020-21697.html
• https://www.suse.com/security/cve/CVE-2020-22046.html
• https://www.suse.com/security/cve/CVE-2020-22048.html
• https://www.suse.com/security/cve/CVE-2020-22049.html
• https://www.suse.com/security/cve/CVE-2020-22054.html
• https://www.suse.com/security/cve/CVE-2021-38114.html
• https://bugzilla.suse.com/show_bug.cgi?id=1129714
• https://bugzilla.suse.com/show_bug.cgi?id=1186849
• https://bugzilla.suse.com/show_bug.cgi?id=1186859
• https://bugzilla.suse.com/show_bug.cgi?id=1186861
• https://bugzilla.suse.com/show_bug.cgi?id=1186863
• https://bugzilla.suse.com/show_bug.cgi?id=1189142
• https://bugzilla.suse.com/show_bug.cgi?id=1189348
• https://bugzilla.suse.com/show_bug.cgi?id=1189350