From 90e1a4148e7a201c3ea960bc4e9e8b0c2e6a27b10f90b19068a0b0fd817dfc5b Mon Sep 17 00:00:00 2001 From: ZhaoQiang Date: Sun, 23 Feb 2025 21:52:36 +0800 Subject: [PATCH] Add 4 patches for 8 CVEs * CVE-2024-12361 * CVE-2024-35365 * CVE-2024-36613 * CVE-2025-0518 * CVE-2025-22919 * CVE-2025-22920 * CVE-2025-22921 * CVE-2025-25473 --- ffmpeg-7-CVE-2025-0518.patch | 29 +++++++++++++++++++++++++++ ffmpeg-7-CVE-2025-22919.patch | 34 ++++++++++++++++++++++++++++++++ ffmpeg-7-CVE-2025-22921.patch | 29 +++++++++++++++++++++++++++ ffmpeg-7-CVE-2025-25473.patch | 26 ++++++++++++++++++++++++ ffmpeg-7.changes | 37 +++++++++++++++++++++++++++++++++++ ffmpeg-7.spec | 4 ++++ 6 files changed, 159 insertions(+) create mode 100644 ffmpeg-7-CVE-2025-0518.patch create mode 100644 ffmpeg-7-CVE-2025-22919.patch create mode 100644 ffmpeg-7-CVE-2025-22921.patch create mode 100644 ffmpeg-7-CVE-2025-25473.patch diff --git a/ffmpeg-7-CVE-2025-0518.patch b/ffmpeg-7-CVE-2025-0518.patch new file mode 100644 index 0000000..12cfe06 --- /dev/null +++ b/ffmpeg-7-CVE-2025-0518.patch @@ -0,0 +1,29 @@ +From b5b6391d64807578ab872dc58fb8aa621dcfc38a Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Mon, 6 Jan 2025 22:01:39 +0100 +Subject: [PATCH] avfilter/af_pan: Fix sscanf() use + +Fixes: Memory Data Leak + +Found-by: Simcha Kosman +Signed-off-by: Michael Niedermayer +--- + libavfilter/af_pan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c +index 0d20b0307b..5feb2439c7 100644 +--- a/libavfilter/af_pan.c ++++ b/libavfilter/af_pan.c +@@ -196,7 +196,7 @@ static av_cold int init(AVFilterContext *ctx) + sign = 1; + while (1) { + gain = 1; +- if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) ++ if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) + arg += len; + if (parse_channel_name(&arg, &in_ch_id, &named)){ + av_log(ctx, AV_LOG_ERROR, +-- +2.44.0 + diff --git a/ffmpeg-7-CVE-2025-22919.patch b/ffmpeg-7-CVE-2025-22919.patch new file mode 100644 index 0000000..7a0a942 --- /dev/null +++ b/ffmpeg-7-CVE-2025-22919.patch @@ -0,0 +1,34 @@ +From 1446e37d3d032e1452844778b3e6ba2c20f0c322 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Mon, 30 Dec 2024 00:25:41 -0300 +Subject: [PATCH] avfilter/buffersrc: check for valid sample rate + +A sample rate <= 0 is invalid. + +Fixes an assert in ffmpeg_enc.c that assumed a valid sample rate would be set. +Fixes ticket #11385. + +Signed-off-by: James Almer +--- + libavfilter/buffersrc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c +index bdf8b14451..c921803c67 100644 +--- a/libavfilter/buffersrc.c ++++ b/libavfilter/buffersrc.c +@@ -421,6 +421,11 @@ static av_cold int init_audio(AVFilterContext *ctx) + av_channel_layout_describe(&s->ch_layout, buf, sizeof(buf)); + } + ++ if (s->sample_rate <= 0) { ++ av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n"); ++ return AVERROR(EINVAL); ++ } ++ + if (!s->time_base.num) + s->time_base = (AVRational){1, s->sample_rate}; + +-- +2.44.0 + diff --git a/ffmpeg-7-CVE-2025-22921.patch b/ffmpeg-7-CVE-2025-22921.patch new file mode 100644 index 0000000..3270d69 --- /dev/null +++ b/ffmpeg-7-CVE-2025-22921.patch @@ -0,0 +1,29 @@ +From 7f9c7f9849a2155224711f0ff57ecdac6e4bfb57 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Wed, 1 Jan 2025 23:58:39 -0300 +Subject: [PATCH] avcodec/jpeg2000dec: clear array length when freeing it + +Fixes NULL pointer dereferences. +Fixes ticket #11393. + +Reviewed-by: Michael Niedermayer +Signed-off-by: James Almer +--- + libavcodec/jpeg2000dec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c +index e5e897a29f..b82d85d5ee 100644 +--- a/libavcodec/jpeg2000dec.c ++++ b/libavcodec/jpeg2000dec.c +@@ -1521,6 +1521,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, + } + } + av_freep(&cblk->lengthinc); ++ cblk->nb_lengthinc = 0; + } + } + // Save state of stream +-- +2.44.0 + diff --git a/ffmpeg-7-CVE-2025-25473.patch b/ffmpeg-7-CVE-2025-25473.patch new file mode 100644 index 0000000..abfd2b9 --- /dev/null +++ b/ffmpeg-7-CVE-2025-25473.patch @@ -0,0 +1,26 @@ +From c08d300481b8ebb846cd43a473988fdbc6793d1b Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Fri, 17 Jan 2025 00:05:31 -0300 +Subject: [PATCH] avformat/avformat: also clear FFFormatContext packet queue + when closing a muxer + +packet_buffer is used in mux.c, and if a muxing process fails at a point where +packets remained in said queue, they will leak. + +Fixes ticket #11419 + +Signed-off-by: James Almer +--- + libavformat/avformat.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/libavformat/avformat.c ++++ b/libavformat/avformat.c +@@ -184,6 +184,7 @@ + av_dict_free(&si->id3v2_meta); + av_packet_free(&si->pkt); + av_packet_free(&si->parse_pkt); ++ avpriv_packet_list_free(&si->packet_buffer); + av_freep(&s->streams); + av_freep(&s->stream_groups); + ff_flush_packet_queue(s); diff --git a/ffmpeg-7.changes b/ffmpeg-7.changes index fddea60..42dff1e 100644 --- a/ffmpeg-7.changes +++ b/ffmpeg-7.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Fri Feb 19 05:17:22 UTC 2025 - Cliff Zhao + +- Add ffmpeg-7-CVE-2025-22921.patch: + Backporting 7f9c7f98 from upstream, clear array length when + freeing it. + (CVE-2025-22921, bsc#1237382) + +------------------------------------------------------------------- +Fri Feb 19 04:27:06 UTC 2025 - Cliff Zhao + +- Add ffmpeg-7-CVE-2025-25473.patch: + Backporting c08d3004 from upstream, clear FFFormatContext packet. + When packet_buffer is used in mux.c, and if a muxing process fails + at a point where packets remained in said queue. + (CVE-2025-25473, bsc#1237351) + +------------------------------------------------------------------- +Fri Feb 19 03:18:02 UTC 2025 - Cliff Zhao + +- Add ffmpeg-7-CVE-2025-0518.patch: + Backporting b5b6391d from upstream, fixes memory data leak when + use sscanf(). + (CVE-2025-0518, bsc#1236007) + +------------------------------------------------------------------- +Fri Feb 19 02:58:01 UTC 2025 - Cliff Zhao + +- Add ffmpeg-7-CVE-2025-22919.patch: + Backporting 1446e37d from upstream, check for valid sample rate + As the sample rate <= 0 is invalid. + (CVE-2025-22919, bsc#1237371) + ------------------------------------------------------------------- Tue Oct 15 08:18:54 UTC 2024 - Antonio Larrosa @@ -22,6 +55,8 @@ Wed Oct 2 08:20:18 UTC 2024 - Jan Engelhardt disposition * LCEVC enhancement data exporting in H.26x and MP4/ISOBMFF * LCEVC filter + * avcodec/mpegvideo_enc: Add check for av_packet_new_side_data (CVE-2024-12361, bsc#1237358) + * avformat/dump: print only the actual streams in a tile grid group (CVE-2025-22920, bsc#1237380) - Delete patches/ffmpeg-7-fix-crashes.patch, 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch (merged) @@ -70,6 +105,8 @@ Wed Aug 7 07:37:24 UTC 2024 - Cliff Zhao * avfilter/vf_tiltandshift: fix buffer offset for yuv422p input (CVE-2024-32229, bsc#1227295) * avcodec/mpegvideo_enc: Fix 1 line and one column images (CVE-2024-32230, bsc#1227296) * avcodec/pnmdec: Use 64bit for input size check (CVE-2024-7055, bsc#1229026) + * fftools/ffmpeg_mux_init: Fix double-free on error (CVE-2024-35365, bsc#1235091) + * avformat/dxa: Adjust order of operations around block align (CVE-2024-36613, bsc#1235092) - Drop ffmpeg-7-CVE-2024-32228.patch: The fix has been merged. - Drop ffmpeg-7-CVE-2024-32229.patch: diff --git a/ffmpeg-7.spec b/ffmpeg-7.spec index ef22b03..3510864 100644 --- a/ffmpeg-7.spec +++ b/ffmpeg-7.spec @@ -120,6 +120,10 @@ Patch5: work-around-abi-break.patch Patch10: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch15: 11013-avcodec-decode-clean-up-if-get_hw_frames_parameters-.patch +Patch16: ffmpeg-7-CVE-2025-22919.patch +Patch17: ffmpeg-7-CVE-2025-0518.patch +Patch18: ffmpeg-7-CVE-2025-25473.patch +Patch19: ffmpeg-7-CVE-2025-22921.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel >= 3.98.3