meta-freescale icon indicating copy to clipboard operation
meta-freescale copied to clipboard
verified publisher icon Freescale

CVEs affecting ffmpeg 4.4.1

Open colin-pm opened this issue 1 year ago • 3 comments

Hello,

After running cve-check on the Kirkstone branch, several CVEs have been identified with ffmpeg 4.4.1.

  • CVE-2022-48434
  • CVE-2023-46407
  • CVE-2023-47470
  • CVE-2024-7272
  • CVE-2024-22860
  • CVE-2024-22862

I've experimented with applying the patches for these CVEs to ffmpeg 4.4.1. All of the patches have merge conflicts. Four of the CVE patches do not even appear to apply to files that exist in 4.4.1, meaning the CVE might not exist on 4.4.1, or is hidden somewhere else in the code. Upgrading ffmpeg might be the better solution, but 1c6c0f6 indicates there is a blocker from being able to upgrade ffmpeg. Will this be resolved so a newer version of ffmpeg can be used?

colin-pm avatar Jan 02 '25 22:01 colin-pm

I don't expect this going to be worked in the Kirkstone branch, as there is a new version already included in new Scarthgap release.

otavio avatar Jan 02 '25 23:01 otavio

This appears to also affect the newest release as well, which also includes ffmpeg 4.4.1.

colin-pm avatar Jan 03 '25 13:01 colin-pm

There appear to be a new batch of CVEs that affect ffmpeg 4.4.1.

colin-pm avatar Jun 05 '25 15:06 colin-pm