Unchecked Return Value Affecting ffmpeg package, versions <7:4.2.7-0ubuntu0.1
Threat Intelligence
EPSS
0.92% (84th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UBUNTU2004-FFMPEG-1569330
- published 24 Aug 2021
- disclosed 21 Aug 2021
Introduced: 21 Aug 2021
CVE-2021-38171 Open this link in a new tabHow to fix?
Upgrade Ubuntu:20.04 ffmpeg to version 7:4.2.7-0ubuntu0.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ffmpeg package and not the ffmpeg package as distributed by Ubuntu.
See How to fix? for Ubuntu:20.04 relevant fixed versions and status.
adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-38171
- https://www.debian.org/security/2021/dsa-4990
- https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6
- https://patchwork.ffmpeg.org/project/ffmpeg/patch/AS8P193MB12542A86E22F8207EC971930B6F19@AS8P193MB1254.EURP193.PROD.OUTLOOK.COM/
- https://www.debian.org/security/2021/dsa-4998
- https://lists.debian.org/debian-lts-announce/2021/11/msg00012.html
- https://patchwork.ffmpeg.org/project/ffmpeg/patch/AS8P193MB12542A86E22F8207EC971930B6F19%40AS8P193MB1254.EURP193.PROD.OUTLOOK.COM/
- https://security.gentoo.org/glsa/202312-14
CVSS Scores
version 3.1