[FFmpeg-devel] FFmpeg Vulnerable to Denial-of-Service (DoS) via Heap-Based Buffer Overflow in 'cbs_jpeg.c' File

Michael Niedermayer michael at niedermayer.cc
Fri May 22 22:35:29 EEST 2020


On Fri, May 22, 2020 at 10:02:40AM +0000, Narayanaswamy, Raghu wrote:
> Hi,
> 
> 
> 
> I heard that, security fix is already there on the master branch[*] and will most likely be backported to the coming release 4.2.3, together with many other fixes.
> 
> 
> 
> I have following queries.
> 

> 1.     In master branch ffversion.h version remains as "#define FFMPEG_VERSION "n4.2.1"", even though current release version is 4.2.2

There is no such file in master

git show master:libavutil/ffversion.h
fatal: Path 'libavutil/ffversion.h' exists on disk, but not in 'master'.

The file is created during build


> 
>   1.  Is there any issue that if fix is taken directly from Master, does it mean it is not sufficiently tested/validated for Production use?

>   2.  When is the scheduled release date for 4.2.3?

4.2.3 was released on 2020-05-21
as listed on our downaload page

Thanks

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Awnsering whenever a program halts or runs forever is
On a turing machine, in general impossible (turings halting problem).
On any real computer, always possible as a real computer has a finite number
of states N, and will either halt in less than N cycles or never halt.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200522/4b36dccc/attachment.sig>


More information about the ffmpeg-devel mailing list