SB2023050703 - SUSE update for ffmpeg

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Division by zero (CVE-ID: CVE-2019-13390)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a divide-by-zero condition in the "adx_write_trailer" function in the "libavformat/rawenc.c" file. A remote attacker can trick the victim to open a specially crafted file and crash the affected application.

2) NULL pointer dereference (CVE-ID: CVE-2022-3341)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the decode_main_header() function in libavformat/nutdec.c A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.

3) Use-after-free (CVE-ID: CVE-2022-48434)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in libavcodec/pthread_frame.c. A remote attacker can pass a specially crafted file to the application, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2023/suse-su-20232115-1/