[FFmpeg-user] EXTERNAL: Re: ffmpeg 4.4.1 security issue [Internal]

Dama, Nikhil Nikhil.Dama at usaa.com
Thu Jan 6 20:30:23 EET 2022 

Thanks for the prompt and quick reply.

Classification: Internal



Disclaimer: This email and any attachments are the property of USAA and may contain confidential and/or privileged material. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is unauthorized. If you received this email in error, please immediately notify the sender and delete the email and any attachments from your computer.

-----Original Message-----
From: ffmpeg-user <ffmpeg-user-bounces at ffmpeg.org> On Behalf Of Moritz Barsnick
Sent: Thursday, January 6, 2022 10:07 AM
To: FFmpeg user discussions <ffmpeg-user at ffmpeg.org>
Subject: EXTERNAL: Re: [FFmpeg-user] ffmpeg 4.4.1 security issue

On Thu, Jan 06, 2022 at 13:12:51 +0000, FFmpeg user discussions wrote:
> I am currently a data scientist at USAA. I was trying to use FFMPEG 4.4.1 to convert spex audio files to wav audio format.
>
> My security team denied the download of the package, and here is the following explanation that they gave:
> DOWNLOAD DENIED: Muliple known vulnerabilities like CVE-2021-38171 I 
> was wondering how I can get this fixed or if it is already fixed in a later version?

The fix is mentioned in the CVE (https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2021-38171__;!!GryZGb6B1VCs0SfC!STlY1eVFcY7A-cEivbXk3VLtyrGJo5LDgP5i-zHeUlfLdy3k6v7Aff7siDm3Ovc$ ):

https://urldefense.com/v3/__https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6__;!!GryZGb6B1VCs0SfC!STlY1eVFcY7A-cEivbXk3VLtyrGJo5LDgP5i-zHeUlfLdy3k6v7Aff7s9JRqjaI$ 

It was ported to the 4.4 branch here:

https://urldefense.com/v3/__https://github.com/FFmpeg/FFmpeg/commit/fb993619d1035fa9646506925ea70fb122038999__;!!GryZGb6B1VCs0SfC!STlY1eVFcY7A-cEivbXk3VLtyrGJo5LDgP5i-zHeUlfLdy3k6v7Aff7skNLv9qM$ 

and that is contained in release 4.4.1, as far as I can tell (by "git tag --contains fb993619d1035fa9646506925ea70fb122038999").

So the CVE refers to version 4.4, and version 4.4.1 fixes this and is therefore not affected, AFAICT.

You'll have to have your security team check 4.4.1. You may need to check each CVE separately (they mention "multiple known vulnerabilities"). If in doubt, disable the affected feature (as in this case: the ADTS muxer).

Hope this helps,
Moritz
_______________________________________________
ffmpeg-user mailing list
ffmpeg-user at ffmpeg.org
https://urldefense.com/v3/__https://ffmpeg.org/mailman/listinfo/ffmpeg-user__;!!GryZGb6B1VCs0SfC!STlY1eVFcY7A-cEivbXk3VLtyrGJo5LDgP5i-zHeUlfLdy3k6v7Aff7sZ4BzvzY$ 

To unsubscribe, visit link above, or email ffmpeg-user-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-user mailing list