Security update for ffmpeg-4

Announcement ID: SUSE-SU-2025:1128-1
Release Date: 2025-04-03T11:54:06Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2020-22037 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2020-22037 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2024-12361 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  • CVE-2024-12361 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2024-35368 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  • CVE-2024-35368 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2024-35368 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2024-36613 ( SUSE ): 4.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
  • CVE-2024-36613 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
  • CVE-2024-36613 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2025-0518 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2025-0518 ( NVD ): 4.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • CVE-2025-22919 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  • CVE-2025-22919 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2025-22919 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2025-22921 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  • CVE-2025-22921 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2025-22921 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2025-25473 ( SUSE ): 0.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
  • CVE-2025-25473 ( SUSE ): 0.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N
  • CVE-2025-25473 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
  • openSUSE Leap 15.4
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server 15 SP4 LTSS
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4

An update that solves eight vulnerabilities, contains one feature and has five security fixes can now be installed.

Description:

This update for ffmpeg-4 fixes the following issues:

  • CVE-2020-22037: Fixed unchecked return value of the init_vlc function (bsc#1186756)
  • CVE-2024-12361: Fixed null pointer dereference (bsc#1237358)
  • CVE-2024-35368: Fixed double free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c (bsc#1234028)
  • CVE-2024-36613: Fixed integer overflow in the DXA demuxer of the libavformat library (bsc#1235092)
  • CVE-2025-0518: Fixed memory leak due to unchecked sscanf return value (bsc#1236007)
  • CVE-2025-22919: Fixed denial of service (DoS) via opening a crafted AAC file (bsc#1237371)
  • CVE-2025-22921: Fixed segmentation violation in NULL pointer dereference via the component /libavcodec/jpeg2000dec.c (bsc#1237382)
  • CVE-2025-25473: Fixed memory leak in avformat_free_context() (bsc#1237351)

Other fixes:

  • Build with SVT-AV1 3.0.0.

  • Update to release 4.4.5:

  • Adjust bconds to build the package in SLFO without xvidcore.
  • Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch (bsc#1229338)
  • Add ffmpeg-c99.patch so that the package conforms to the C99 standard and builds on i586 with GCC 14.
  • No longer build against libmfx; build against libvpl (bsc#1230983, bsc#1219494)
  • Drop libmfx dependency from our product (jira #PED-10024)
  • Update patch to build with glslang 14
  • Disable vmaf integration as ffmpeg-4 cannot handle vmaf>=3
  • Copy codec list from ffmpeg-6
  • Resolve build failure with binutils >= 2.41. (bsc#1215945)

  • Update to version 4.4.4:

  • avcodec/012v: Order operations for odd size handling
  • avcodec/alsdec: The minimal block is at least 7 bits
  • avcodec/bink:
    • Avoid undefined out of array end pointers in
      binkb_decode_plane()
    • Fix off by 1 error in ref end
  • avcodec/eac3dec: avoid float noise in fixed mode addition to
    overflow
  • avcodec/eatgq: : Check index increments in tgq_decode_block()
  • avcodec/escape124:
    • Fix signdness of end of input check
    • Fix some return codes
  • avcodec/ffv1dec:
    • Check that num h/v slices is supported
    • Fail earlier if prior context is corrupted
    • Restructure slice coordinate reading a bit
  • avcodec/mjpegenc: take into account component count when
    writing the SOF header size
  • avcodec/mlpdec: Check max matrix instead of max channel in
    noise check
  • avcodec/motionpixels: Mask pixels to valid values
  • avcodec/mpeg12dec: Check input size
  • avcodec/nvenc:
    • Fix b-frame DTS behavior with fractional framerates
    • Fix vbv buffer size in cq mode
  • avcodec/pictordec: Remove mid exit branch
  • avcodec/pngdec: Check deloco index more exactly
  • avcodec/rpzaenc: stop accessing out of bounds frame
  • avcodec/scpr3: Check bx
  • avcodec/scpr: Test bx before use
  • avcodec/snowenc: Fix visual weight calculation
  • avcodec/speedhq: Check buf_size to be big enough for DC
  • avcodec/sunrast: Fix maplength check
  • avcodec/tests/snowenc:
    • Fix 2nd test
    • Return a failure if DWT/IDWT mismatches
    • Unbreak DWT tests
  • avcodec/tiff: Ignore tile_count
  • avcodec/utils:
    • Allocate a line more for VC1 and WMV3
    • Ensure linesize for SVQ3
    • Use 32pixel alignment for bink
  • avcodec/videodsp_template: Adjust pointers to avoid undefined
    pointer things
  • avcodec/vp3: Add missing check for av_malloc
  • avcodec/wavpack:
    • Avoid undefined shift in get_tail()
    • Check for end of input in wv_unpack_dsd_high()
  • avcodec/xpmdec: Check size before allocation to avoid
    truncation
  • avfilter/vf_untile: swap the chroma shift values used for plane
    offsets
  • avformat/id3v2: Check taglen in read_uslt()
  • avformat/mov: Check samplesize and offset to avoid integer
    overflow
  • avformat/mxfdec: Use 64bit in remainder
  • avformat/nutdec: Add check for avformat_new_stream
  • avformat/replaygain: avoid undefined / negative abs
  • swscale/input: Use more unsigned intermediates
  • swscale/output: Bias 16bps output calculations to improve non
    overflowing range
  • swscale: aarch64: Fix yuv2rgb with negative stride
  • Use https for repository links

  • Update to version 4.4.3:

  • Stable bug fix release, mainly codecs, filter and format fixes.

  • Add patch to detect SDL2 >= 2.1.0 (bsc#1202848):

  • Update to version 4.4.2:

  • Stable bug fix release, mainly codecs, filter and format fixes.

  • Add conflicts for ffmpeg-5's tools

  • Enable Vulkan filters
  • Fix OS version check, so nvcodec is enabled for Leap too.
  • Disamble libsmbclient usage (can always be built with
    --with-smbclient): the usecase of ffmpeg directly accessing
    smb:// shares is quite constructed (most users will have their
    smb shares mounted).

  • Update to version 4.4.1:

  • Stable bug fix release, mainly codecs and format fixes.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4
    zypper in -t patch SUSE-2025-1128=1
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-1128=1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1128=1
  • SUSE Linux Enterprise Server 15 SP4 LTSS
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-1128=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-1128=1

Package List:

  • openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
    • libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    • ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    • libavcodec58_134-4.4.5-150400.3.46.1
    • ffmpeg-4-libavdevice-devel-4.4.5-150400.3.46.1
    • ffmpeg-4-libavresample-devel-4.4.5-150400.3.46.1
    • ffmpeg-4-libswscale-devel-4.4.5-150400.3.46.1
    • libavfilter7_110-debuginfo-4.4.5-150400.3.46.1
    • libavformat58_76-4.4.5-150400.3.46.1
    • libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    • libavresample4_0-4.4.5-150400.3.46.1
    • ffmpeg-4-libswresample-devel-4.4.5-150400.3.46.1
    • libavdevice58_13-debuginfo-4.4.5-150400.3.46.1
    • ffmpeg-4-4.4.5-150400.3.46.1
    • ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    • libswscale5_9-debuginfo-4.4.5-150400.3.46.1
    • libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-4.4.5-150400.3.46.1
    • ffmpeg-4-libavutil-devel-4.4.5-150400.3.46.1
    • libpostproc55_9-4.4.5-150400.3.46.1
    • ffmpeg-4-libpostproc-devel-4.4.5-150400.3.46.1
    • libavfilter7_110-4.4.5-150400.3.46.1
    • ffmpeg-4-libavcodec-devel-4.4.5-150400.3.46.1
    • ffmpeg-4-libavfilter-devel-4.4.5-150400.3.46.1
    • ffmpeg-4-libavformat-devel-4.4.5-150400.3.46.1
    • libswscale5_9-4.4.5-150400.3.46.1
    • libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    • libavdevice58_13-4.4.5-150400.3.46.1
    • libswresample3_9-4.4.5-150400.3.46.1
    • ffmpeg-4-private-devel-4.4.5-150400.3.46.1
    • libavresample4_0-debuginfo-4.4.5-150400.3.46.1
  • openSUSE Leap 15.4 (x86_64)
    • libavresample4_0-32bit-4.4.5-150400.3.46.1
    • libswresample3_9-32bit-debuginfo-4.4.5-150400.3.46.1
    • libavformat58_76-32bit-debuginfo-4.4.5-150400.3.46.1
    • libavresample4_0-32bit-debuginfo-4.4.5-150400.3.46.1
    • libpostproc55_9-32bit-4.4.5-150400.3.46.1
    • libavcodec58_134-32bit-debuginfo-4.4.5-150400.3.46.1
    • libavcodec58_134-32bit-4.4.5-150400.3.46.1
    • libswresample3_9-32bit-4.4.5-150400.3.46.1
    • libswscale5_9-32bit-debuginfo-4.4.5-150400.3.46.1
    • libavdevice58_13-32bit-debuginfo-4.4.5-150400.3.46.1
    • libavformat58_76-32bit-4.4.5-150400.3.46.1
    • libpostproc55_9-32bit-debuginfo-4.4.5-150400.3.46.1
    • libswscale5_9-32bit-4.4.5-150400.3.46.1
    • libavfilter7_110-32bit-debuginfo-4.4.5-150400.3.46.1
    • libavfilter7_110-32bit-4.4.5-150400.3.46.1
    • libavutil56_70-32bit-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-32bit-4.4.5-150400.3.46.1
    • libavdevice58_13-32bit-4.4.5-150400.3.46.1
  • openSUSE Leap 15.4 (aarch64_ilp32)
    • libavresample4_0-64bit-debuginfo-4.4.5-150400.3.46.1
    • libpostproc55_9-64bit-4.4.5-150400.3.46.1
    • libavutil56_70-64bit-4.4.5-150400.3.46.1
    • libavfilter7_110-64bit-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-64bit-debuginfo-4.4.5-150400.3.46.1
    • libswscale5_9-64bit-4.4.5-150400.3.46.1
    • libavfilter7_110-64bit-4.4.5-150400.3.46.1
    • libavdevice58_13-64bit-4.4.5-150400.3.46.1
    • libpostproc55_9-64bit-debuginfo-4.4.5-150400.3.46.1
    • libavcodec58_134-64bit-debuginfo-4.4.5-150400.3.46.1
    • libavresample4_0-64bit-4.4.5-150400.3.46.1
    • libswscale5_9-64bit-debuginfo-4.4.5-150400.3.46.1
    • libavdevice58_13-64bit-debuginfo-4.4.5-150400.3.46.1
    • libavformat58_76-64bit-debuginfo-4.4.5-150400.3.46.1
    • libavcodec58_134-64bit-4.4.5-150400.3.46.1
    • libavutil56_70-64bit-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-64bit-4.4.5-150400.3.46.1
    • libavformat58_76-64bit-4.4.5-150400.3.46.1
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
    • libpostproc55_9-4.4.5-150400.3.46.1
    • libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    • ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    • libavcodec58_134-4.4.5-150400.3.46.1
    • libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    • libavformat58_76-4.4.5-150400.3.46.1
    • ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-4.4.5-150400.3.46.1
    • libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-4.4.5-150400.3.46.1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
    • libpostproc55_9-4.4.5-150400.3.46.1
    • libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    • ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    • libavcodec58_134-4.4.5-150400.3.46.1
    • libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    • libavformat58_76-4.4.5-150400.3.46.1
    • ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-4.4.5-150400.3.46.1
    • libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-4.4.5-150400.3.46.1
  • SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
    • libpostproc55_9-4.4.5-150400.3.46.1
    • libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    • ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    • libavcodec58_134-4.4.5-150400.3.46.1
    • libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    • libavformat58_76-4.4.5-150400.3.46.1
    • ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-4.4.5-150400.3.46.1
    • libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-4.4.5-150400.3.46.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
    • libpostproc55_9-4.4.5-150400.3.46.1
    • libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    • ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    • libavcodec58_134-4.4.5-150400.3.46.1
    • libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    • libavformat58_76-4.4.5-150400.3.46.1
    • ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    • libswresample3_9-4.4.5-150400.3.46.1
    • libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    • libavutil56_70-4.4.5-150400.3.46.1

References: