[FFmpeg-user] ffmpeg 4.4.1 security issue
Moritz Barsnick
barsnick at gmx.net
Thu Jan 6 18:06:41 EET 2022
On Thu, Jan 06, 2022 at 13:12:51 +0000, FFmpeg user discussions wrote:
> I am currently a data scientist at USAA. I was trying to use FFMPEG 4.4.1 to convert spex audio files to wav audio format.
>
> My security team denied the download of the package, and here is the following explanation that they gave:
> DOWNLOAD DENIED: Muliple known vulnerabilities like CVE-2021-38171
> I was wondering how I can get this fixed or if it is already fixed in a later version?
The fix is mentioned in the CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-38171):
https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6
It was ported to the 4.4 branch here:
https://github.com/FFmpeg/FFmpeg/commit/fb993619d1035fa9646506925ea70fb122038999
and that is contained in release 4.4.1, as far as I can tell (by "git tag --contains
fb993619d1035fa9646506925ea70fb122038999").
So the CVE refers to version 4.4, and version 4.4.1 fixes this and is
therefore not affected, AFAICT.
You'll have to have your security team check 4.4.1. You may need to
check each CVE separately (they mention "multiple known
vulnerabilities"). If in doubt, disable the affected feature (as in
this case: the ADTS muxer).
Hope this helps,
Moritz
More information about the ffmpeg-user
mailing list