Understanding the Recent FFmpeg Vulnerabilities

Rohan Timalsina

June 13, 2024 - TuxCare expert team

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, a popular tool for processing audio and video files. These vulnerabilities could lead to severe consequences such as denial of service or arbitrary code execution on affected systems. Fortunately, they have been addressed in the latest updates, ensuring that users can safeguard their systems against these threats.

The Ubuntu security team has also provided security updates to fix these issues in various versions, including Ubuntu 24.04 LTS, Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 16.04 ESM.

FFmpeg Vulnerabilities Fixed in Ubuntu

Below is a detailed overview of the specific vulnerabilities and their potential impact:

CVE-2023-49502

A buffer overflow vulnerability was discovered due to the incorrect handling of certain input files. Exploiting this flaw could lead to a crash of the FFmpeg application, resulting in denial of service or potential execution of arbitrary code. This vulnerability affects several Ubuntu versions, including Ubuntu 18.04, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10, and Ubuntu 24.04 LTS.

CVE-2023-51794 and CVE-2023-51798

These buffer overflow vulnerabilities in FFmpeg are similar in nature. They involve incorrect handling of some input files by FFmpeg, which could be exploited to crash the application. These issues pose significant security risks, potentially allowing for denial of service or arbitrary code execution. The affected Ubuntu versions include Ubuntu 18.04, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10.

CVE-2024-31578

A heap use-after-free vulnerability was discovered in FFmpeg due to the incorrect handling of certain input files, posing a risk of denial of service or arbitrary code execution. The affected versions include Ubuntu 18.04, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10, and Ubuntu 24.04 LTS.

CVE-2024-31585

FFmpeg has been found to contain an Off-by-one Error vulnerability in libavfilter/avf_showspectrum.c. Similar to the other vulnerabilities, it involves incorrect handling of specific input files, which could be exploited to cause a denial of service or arbitrary code execution.

The Ubuntu security updates address other similar FFmpeg vulnerabilities. Full details can be found in the Ubuntu Security Notice.

Mitigation and Updates

To fix these vulnerabilities, upgrading FFmpeg packages to the latest versions provided by Ubuntu security updates is essential. By keeping your system updated, you can mitigate the risks posed by these vulnerabilities and maintain a secure computing environment.

Updating your system to the latest FFmpeg version is straightforward. First, run the following command in the terminal to update the package lists for upgrades.

$ sudo apt update

Then run this command to upgrade FFmpeg packages to the latest version:

$ sudo apt install --only-upgrade ffmpeg

Conclusion

While FFmpeg remains a powerful tool for multimedia processing, staying informed about vulnerabilities and promptly applying patches is crucial to maintaining the security and integrity of systems utilizing this framework. By taking proactive measures, users can mitigate risks and continue to use FFmpeg without compromising security.

Canonical stopped providing security updates for Ubuntu 16.04 and Ubuntu 18.04 after the end of life. You can utilize TuxCare’s Extended Lifecycle Support (ELS) to receive vendor-grade security patches for Ubuntu 16.04 and Ubuntu 18.04 for an additional five years after the EOL date. This ensures your Ubuntu 16.04 and Ubuntu 18.04 servers remain secure even after the end-of-life period while giving you enough time to plan your migration at your own pace.

Source: USN-6803-1

Summary