SuSE Local Security Checks : SUSE: Security Advisory (SUSE-SU-2025:1128-1)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 146377 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.4.2025.1128.1

Kategorie: SuSE Local Security Checks

Titel: SUSE: Security Advisory (SUSE-SU-2025:1128-1)

Zusammenfassung: The remote host is missing an update for the 'ffmpeg-4' package(s) announced via the SUSE-SU-2025:1128-1 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'ffmpeg-4' package(s) announced via the SUSE-SU-2025:1128-1 advisory.

Vulnerability Insight:
This update for ffmpeg-4 fixes the following issues:

- CVE-2020-22037: Fixed unchecked return value of the init_vlc function (bsc#1186756)
- CVE-2024-12361: Fixed null pointer dereference (bsc#1237358)
- CVE-2024-35368: Fixed double free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c (bsc#1234028)
- CVE-2024-36613: Fixed integer overflow in the DXA demuxer of the libavformat library (bsc#1235092)
- CVE-2025-0518: Fixed memory leak due to unchecked sscanf return value (bsc#1236007)
- CVE-2025-22919: Fixed denial of service (DoS) via opening a crafted AAC file (bsc#1237371)
- CVE-2025-22921: Fixed segmentation violation in NULL pointer dereference via the component /libavcodec/jpeg2000dec.c (bsc#1237382)
- CVE-2025-25473: Fixed memory leak in avformat_free_context() (bsc#1237351)

Other fixes:

- Build with SVT-AV1 3.0.0.

- Update to release 4.4.5:
* Adjust bconds to build the package in SLFO without xvidcore.
* Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch (bsc#1229338)
* Add ffmpeg-c99.patch so that the package conforms to the C99 standard and builds on i586 with GCC 14.
* No longer build against libmfx, build against libvpl (bsc#1230983, bsc#1219494)
* Drop libmfx dependency from our product (jira #PED-10024)
* Update patch to build with glslang 14
* Disable vmaf integration as ffmpeg-4 cannot handle vmaf>=3
* Copy codec list from ffmpeg-6
* Resolve build failure with binutils >= 2.41. (bsc#1215945)

- Update to version 4.4.4:
* avcodec/012v: Order operations for odd size handling
* avcodec/alsdec: The minimal block is at least 7 bits
* avcodec/bink:
- Avoid undefined out of array end pointers in
binkb_decode_plane()
- Fix off by 1 error in ref end
* avcodec/eac3dec: avoid float noise in fixed mode addition to
overflow
* avcodec/eatgq: : Check index increments in tgq_decode_block()
* avcodec/escape124:
- Fix signdness of end of input check
- Fix some return codes
* avcodec/ffv1dec:
- Check that num h/v slices is supported
- Fail earlier if prior context is corrupted
- Restructure slice coordinate reading a bit
* avcodec/mjpegenc: take into account component count when
writing the SOF header size
* avcodec/mlpdec: Check max matrix instead of max channel in
noise check
* avcodec/motionpixels: Mask pixels to valid values
* avcodec/mpeg12dec: Check input size
* avcodec/nvenc:
- Fix b-frame DTS behavior with fractional framerates
- Fix vbv buffer size in cq mode
* avcodec/pictordec: Remove mid exit branch
* avcodec/pngdec: Check deloco index more exactly
* avcodec/rpzaenc: stop accessing out of bounds frame
* avcodec/scpr3: Check bx
* avcodec/scpr: Test bx before use
* avcodec/snowenc: Fix visual weight calculation
* avcodec/speedhq: Check buf_size to be big enough for DC
* avcodec/sunrast: Fix maplength check
* avcodec/tests/snowenc:
- Fix 2nd test
- Return a failure if DWT/IDWT mismatches
- ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'ffmpeg-4' package(s) on SUSE Linux Enterprise Server 15-SP4, SUSE Linux Enterprise Server for SAP Applications 15-SP4.

Solution:
Please install the updated package(s).

CVSS Score:
4.3

CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2020-22037
Debian Security Information: DSA-4990 (Google Search)
https://www.debian.org/security/2021/dsa-4990
Debian Security Information: DSA-4998 (Google Search)
https://www.debian.org/security/2021/dsa-4998
https://trac.ffmpeg.org/ticket/8281
https://lists.debian.org/debian-lts-announce/2021/11/msg00012.html
Common Vulnerability Exposure (CVE) ID: CVE-2024-12361
Common Vulnerability Exposure (CVE) ID: CVE-2024-35368
Common Vulnerability Exposure (CVE) ID: CVE-2024-36613
Common Vulnerability Exposure (CVE) ID: CVE-2025-0518
Common Vulnerability Exposure (CVE) ID: CVE-2025-22919
Common Vulnerability Exposure (CVE) ID: CVE-2025-22921
Common Vulnerability Exposure (CVE) ID: CVE-2025-25473

Copyright Copyright (C) 2025 Greenbone AG

Dies ist nur einer von 146377 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.4.2025.1128.1
Kategorie:	SuSE Local Security Checks
Titel:	SUSE: Security Advisory (SUSE-SU-2025:1128-1)
Zusammenfassung:	The remote host is missing an update for the 'ffmpeg-4' package(s) announced via the SUSE-SU-2025:1128-1 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'ffmpeg-4' package(s) announced via the SUSE-SU-2025:1128-1 advisory. Vulnerability Insight: This update for ffmpeg-4 fixes the following issues: - CVE-2020-22037: Fixed unchecked return value of the init_vlc function (bsc#1186756) - CVE-2024-12361: Fixed null pointer dereference (bsc#1237358) - CVE-2024-35368: Fixed double free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c (bsc#1234028) - CVE-2024-36613: Fixed integer overflow in the DXA demuxer of the libavformat library (bsc#1235092) - CVE-2025-0518: Fixed memory leak due to unchecked sscanf return value (bsc#1236007) - CVE-2025-22919: Fixed denial of service (DoS) via opening a crafted AAC file (bsc#1237371) - CVE-2025-22921: Fixed segmentation violation in NULL pointer dereference via the component /libavcodec/jpeg2000dec.c (bsc#1237382) - CVE-2025-25473: Fixed memory leak in avformat_free_context() (bsc#1237351) Other fixes: - Build with SVT-AV1 3.0.0. - Update to release 4.4.5: * Adjust bconds to build the package in SLFO without xvidcore. * Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch (bsc#1229338) * Add ffmpeg-c99.patch so that the package conforms to the C99 standard and builds on i586 with GCC 14. * No longer build against libmfx, build against libvpl (bsc#1230983, bsc#1219494) * Drop libmfx dependency from our product (jira #PED-10024) * Update patch to build with glslang 14 * Disable vmaf integration as ffmpeg-4 cannot handle vmaf>=3 * Copy codec list from ffmpeg-6 * Resolve build failure with binutils >= 2.41. (bsc#1215945) - Update to version 4.4.4: * avcodec/012v: Order operations for odd size handling * avcodec/alsdec: The minimal block is at least 7 bits * avcodec/bink: - Avoid undefined out of array end pointers in binkb_decode_plane() - Fix off by 1 error in ref end * avcodec/eac3dec: avoid float noise in fixed mode addition to overflow * avcodec/eatgq: : Check index increments in tgq_decode_block() * avcodec/escape124: - Fix signdness of end of input check - Fix some return codes * avcodec/ffv1dec: - Check that num h/v slices is supported - Fail earlier if prior context is corrupted - Restructure slice coordinate reading a bit * avcodec/mjpegenc: take into account component count when writing the SOF header size * avcodec/mlpdec: Check max matrix instead of max channel in noise check * avcodec/motionpixels: Mask pixels to valid values * avcodec/mpeg12dec: Check input size * avcodec/nvenc: - Fix b-frame DTS behavior with fractional framerates - Fix vbv buffer size in cq mode * avcodec/pictordec: Remove mid exit branch * avcodec/pngdec: Check deloco index more exactly * avcodec/rpzaenc: stop accessing out of bounds frame * avcodec/scpr3: Check bx * avcodec/scpr: Test bx before use * avcodec/snowenc: Fix visual weight calculation * avcodec/speedhq: Check buf_size to be big enough for DC * avcodec/sunrast: Fix maplength check * avcodec/tests/snowenc: - Fix 2nd test - Return a failure if DWT/IDWT mismatches - ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'ffmpeg-4' package(s) on SUSE Linux Enterprise Server 15-SP4, SUSE Linux Enterprise Server for SAP Applications 15-SP4. Solution: Please install the updated package(s). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2020-22037 Debian Security Information: DSA-4990 (Google Search) https://www.debian.org/security/2021/dsa-4990 Debian Security Information: DSA-4998 (Google Search) https://www.debian.org/security/2021/dsa-4998 https://trac.ffmpeg.org/ticket/8281 https://lists.debian.org/debian-lts-announce/2021/11/msg00012.html Common Vulnerability Exposure (CVE) ID: CVE-2024-12361 Common Vulnerability Exposure (CVE) ID: CVE-2024-35368 Common Vulnerability Exposure (CVE) ID: CVE-2024-36613 Common Vulnerability Exposure (CVE) ID: CVE-2025-0518 Common Vulnerability Exposure (CVE) ID: CVE-2025-22919 Common Vulnerability Exposure (CVE) ID: CVE-2025-22921 Common Vulnerability Exposure (CVE) ID: CVE-2025-25473
Copyright	Copyright (C) 2025 Greenbone AG