FFmpeg Vulnerabilities Addressed in Ubuntu
Several FFmpeg vulnerabilities were addressed in the latest Ubuntu security updates. These updates are available for Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 16.04 ESM. Other Ubuntu releases like 23.04, 22.04, and 23.01 are yet to receive these security patches.
Several FFmpeg Vulnerabilities Fixed
CVE-2020-22024
This is a buffer overflow issue found in the lagfun_frame16
function in libavfilter/vf_lagfun.c due to FFmpeg’s improper handling of some inputs. A remote attacker may use this flaw to cause a denial of service through an application crash. Only Ubuntu 20.04 LTS was affected by this problem.
CVE-2020-22039
A memory leak issue was discovered in the inavi_add_ientry
function due to FFmpeg’s incorrect memory management. An attacker may utilize this flaw to cause a denial of service.
CVE-2020-22040
A memory leak in the v_frame_alloc
function in frame.c caused FFmpeg to handle some files incorrectly. An attacker may utilize this flaw to cause a denial of service. Both Ubuntu 18.04 LTS and Ubuntu 20.04 LTS were affected by this problem.
CVE-2021-28429
It was found that timecode.c in FFmpeg processed some MOV files incorrectly, resulting in an integer overflow vulnerability. Using a crafted MOV file, an attacker may exploit this issue to cause a denial of service. This problem affected only Ubuntu 16.04 LTS.
CVE-2020-22043
A memory leak in the fifo_alloc_common
function in libavutil/fifo.c caused FFmpeg to handle some files incorrectly. An attacker may utilize this flaw to cause a denial of service through an application crash.
CVE-2020-22051
It was found that a memory leak in vf_tile.c caused FFmpeg to handle some files incorrectly. An attacker may utilize this issue to cause a denial of service if they manage to trick a user or automated system into processing a specially crafted MOV file.
Final Thoughts
The addressed FFmpeg vulnerabilities are of medium severity, as described in the Ubuntu CVE database. Ubuntu 20.04 LTS is supported until 2025, so the updates can be applied normally. But Ubuntu 16.04 and Ubuntu 18.04 have already reached the end of life in 2021 and 2023, respectively. That means you will not get these Ubuntu security updates unless you purchase a Ubuntu Pro subscription.
Alternatively, you can consider using a much more affordable option, TuxCare’s Extended Lifecycle Support. TuxCare provides extended support for both Ubuntu 16.04 and Ubuntu 18.04 for up to an additional 5 years after the end-of-life period. With vendor-grade security patches, you can ensure the protection of your Ubuntu server and enjoy a safe and secure computing environment.
The sources are available at USN-6430-1.