ClickCease FFmpeg Vulnerabilities Addressed in Ubuntu

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

FFmpeg Vulnerabilities Addressed in Ubuntu

by Rohan Timalsina

October 27, 2023 - TuxCare expert team

Several FFmpeg vulnerabilities were addressed in the latest Ubuntu security updates. These updates are available for Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 16.04 ESM. Other Ubuntu releases like 23.04, 22.04, and 23.01 are yet to receive these security patches.

 

Several FFmpeg Vulnerabilities Fixed

CVE-2020-22024

This is a buffer overflow issue found in the lagfun_frame16 function in libavfilter/vf_lagfun.c due to FFmpeg’s improper handling of some inputs. A remote attacker may use this flaw to cause a denial of service through an application crash. Only Ubuntu 20.04 LTS was affected by this problem.

 

CVE-2020-22039

A memory leak issue was discovered in the inavi_add_ientry function due to FFmpeg’s incorrect memory management. An attacker may utilize this flaw to cause a denial of service.

 

CVE-2020-22040

A memory leak in the v_frame_alloc function in frame.c caused FFmpeg to handle some files incorrectly. An attacker may utilize this flaw to cause a denial of service. Both Ubuntu 18.04 LTS and Ubuntu 20.04 LTS were affected by this problem.

CVE-2021-28429

It was found that timecode.c in FFmpeg processed some MOV files incorrectly, resulting in an integer overflow vulnerability. Using a crafted MOV file, an attacker may exploit this issue to cause a denial of service. This problem affected only Ubuntu 16.04 LTS.

 

CVE-2020-22043

A memory leak in the fifo_alloc_common function in libavutil/fifo.c caused FFmpeg to handle some files incorrectly. An attacker may utilize this flaw to cause a denial of service through an application crash.

 

CVE-2020-22051

It was found that a memory leak in vf_tile.c caused FFmpeg to handle some files incorrectly. An attacker may utilize this issue to cause a denial of service if they manage to trick a user or automated system into processing a specially crafted MOV file.

 

Final Thoughts

The addressed FFmpeg vulnerabilities are of medium severity, as described in the Ubuntu CVE database. Ubuntu 20.04 LTS is supported until 2025, so the updates can be applied normally. But Ubuntu 16.04 and Ubuntu 18.04 have already reached the end of life in 2021 and 2023, respectively. That means you will not get these Ubuntu security updates unless you purchase a Ubuntu Pro subscription.

Alternatively, you can consider using a much more affordable option, TuxCare’s Extended Lifecycle Support. TuxCare provides extended support for both Ubuntu 16.04 and Ubuntu 18.04 for up to an additional 5 years after the end-of-life period. With vendor-grade security patches, you can ensure the protection of your Ubuntu server and enjoy a safe and secure computing environment.

 

The sources are available at USN-6430-1.

Summary
FFmpeg Vulnerabilities Addressed in Ubuntu
Article Name
FFmpeg Vulnerabilities Addressed in Ubuntu
Description
Discover the FFmpeg vulnerabilities, including buffer overflows and memory leaks that have been fixed in the Ubuntu security updates.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!