SUSE-SU-2025:1128-1: important: Security update for ffmpeg-4

SLE-UPDATES null at suse.de
Thu Apr 3 12:30:25 UTC 2025



# Security update for ffmpeg-4

Announcement ID: SUSE-SU-2025:1128-1  
Release Date: 2025-04-03T11:54:06Z  
Rating: important  
References:

  * bsc#1186756
  * bsc#1202848
  * bsc#1215945
  * bsc#1219494
  * bsc#1229338
  * bsc#1230983
  * bsc#1234028
  * bsc#1235092
  * bsc#1236007
  * bsc#1237351
  * bsc#1237358
  * bsc#1237371
  * bsc#1237382
  * jsc#PED-10024

  
Cross-References:

  * CVE-2020-22037
  * CVE-2024-12361
  * CVE-2024-35368
  * CVE-2024-36613
  * CVE-2025-0518
  * CVE-2025-22919
  * CVE-2025-22921
  * CVE-2025-25473

  
CVSS scores:

  * CVE-2020-22037 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2020-22037 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2024-12361 ( SUSE ):  5.1
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2024-12361 ( SUSE ):  4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2024-35368 ( SUSE ):  6.9
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2024-35368 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2024-35368 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2024-36613 ( SUSE ):  4.8
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2024-36613 ( SUSE ):  3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
  * CVE-2024-36613 ( NVD ):  6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-0518 ( SUSE ):  4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  * CVE-2025-0518 ( NVD ):  4.8
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  * CVE-2025-22919 ( SUSE ):  4.8
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2025-22919 ( SUSE ):  3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  * CVE-2025-22919 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2025-22921 ( SUSE ):  4.8
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2025-22921 ( SUSE ):  3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  * CVE-2025-22921 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2025-25473 ( SUSE ):  0.0
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
  * CVE-2025-25473 ( SUSE ):  0.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N
  * CVE-2025-25473 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

  
Affected Products:

  * openSUSE Leap 15.4
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP4 LTSS
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4

  
  
An update that solves eight vulnerabilities, contains one feature and has five
security fixes can now be installed.

## Description:

This update for ffmpeg-4 fixes the following issues:

  * CVE-2020-22037: Fixed unchecked return value of the init_vlc function
    (bsc#1186756)
  * CVE-2024-12361: Fixed null pointer dereference (bsc#1237358)
  * CVE-2024-35368: Fixed double free via the rkmpp_retrieve_frame function
    within libavcodec/rkmppdec.c (bsc#1234028)
  * CVE-2024-36613: Fixed integer overflow in the DXA demuxer of the libavformat
    library (bsc#1235092)
  * CVE-2025-0518: Fixed memory leak due to unchecked sscanf return value
    (bsc#1236007)
  * CVE-2025-22919: Fixed denial of service (DoS) via opening a crafted AAC file
    (bsc#1237371)
  * CVE-2025-22921: Fixed segmentation violation in NULL pointer dereference via
    the component /libavcodec/jpeg2000dec.c (bsc#1237382)
  * CVE-2025-25473: Fixed memory leak in avformat_free_context() (bsc#1237351)

Other fixes:

  * Build with SVT-AV1 3.0.0.

  * Update to release 4.4.5:

  * Adjust bconds to build the package in SLFO without xvidcore.
  * Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch
    (bsc#1229338)
  * Add ffmpeg-c99.patch so that the package conforms to the C99 standard and
    builds on i586 with GCC 14.
  * No longer build against libmfx; build against libvpl (bsc#1230983,
    bsc#1219494)
  * Drop libmfx dependency from our product (jira #PED-10024)
  * Update patch to build with glslang 14
  * Disable vmaf integration as ffmpeg-4 cannot handle vmaf>=3
  * Copy codec list from ffmpeg-6
  * Resolve build failure with binutils >= 2.41. (bsc#1215945)

  * Update to version 4.4.4:

  * avcodec/012v: Order operations for odd size handling
  * avcodec/alsdec: The minimal block is at least 7 bits
  * avcodec/bink:
    * Avoid undefined out of array end pointers in   
binkb_decode_plane()

    * Fix off by 1 error in ref end 
  * avcodec/eac3dec: avoid float noise in fixed mode addition to  
overflow

  * avcodec/eatgq: : Check index increments in tgq_decode_block()
  * avcodec/escape124:
    * Fix signdness of end of input check 
    * Fix some return codes 
  * avcodec/ffv1dec:
    * Check that num h/v slices is supported 
    * Fail earlier if prior context is corrupted 
    * Restructure slice coordinate reading a bit 
  * avcodec/mjpegenc: take into account component count when  
writing the SOF header size

  * avcodec/mlpdec: Check max matrix instead of max channel in  
noise check

  * avcodec/motionpixels: Mask pixels to valid values
  * avcodec/mpeg12dec: Check input size
  * avcodec/nvenc:
    * Fix b-frame DTS behavior with fractional framerates 
    * Fix vbv buffer size in cq mode 
  * avcodec/pictordec: Remove mid exit branch
  * avcodec/pngdec: Check deloco index more exactly
  * avcodec/rpzaenc: stop accessing out of bounds frame
  * avcodec/scpr3: Check bx
  * avcodec/scpr: Test bx before use
  * avcodec/snowenc: Fix visual weight calculation
  * avcodec/speedhq: Check buf_size to be big enough for DC
  * avcodec/sunrast: Fix maplength check
  * avcodec/tests/snowenc:
    * Fix 2nd test 
    * Return a failure if DWT/IDWT mismatches 
    * Unbreak DWT tests 
  * avcodec/tiff: Ignore tile_count
  * avcodec/utils:
    * Allocate a line more for VC1 and WMV3 
    * Ensure linesize for SVQ3 
    * Use 32pixel alignment for bink 
  * avcodec/videodsp_template: Adjust pointers to avoid undefined  
pointer things

  * avcodec/vp3: Add missing check for av_malloc
  * avcodec/wavpack:
    * Avoid undefined shift in get_tail() 
    * Check for end of input in wv_unpack_dsd_high() 
  * avcodec/xpmdec: Check size before allocation to avoid  
truncation

  * avfilter/vf_untile: swap the chroma shift values used for plane  
offsets

  * avformat/id3v2: Check taglen in read_uslt()
  * avformat/mov: Check samplesize and offset to avoid integer  
overflow

  * avformat/mxfdec: Use 64bit in remainder
  * avformat/nutdec: Add check for avformat_new_stream
  * avformat/replaygain: avoid undefined / negative abs
  * swscale/input: Use more unsigned intermediates
  * swscale/output: Bias 16bps output calculations to improve non  
overflowing range

  * swscale: aarch64: Fix yuv2rgb with negative stride
  * Use https for repository links

  * Update to version 4.4.3:

  * Stable bug fix release, mainly codecs, filter and format fixes.

  * Add patch to detect SDL2 >= 2.1.0 (bsc#1202848):

  * Update to version 4.4.2:

  * Stable bug fix release, mainly codecs, filter and format fixes.

  * Add conflicts for ffmpeg-5's tools

  * Enable Vulkan filters
  * Fix OS version check, so nvcodec is enabled for Leap too.
  * Disamble libsmbclient usage (can always be built with  
\--with-smbclient): the usecase of ffmpeg directly accessing  
smb:// shares is quite constructed (most users will have their  
smb shares mounted).

  * Update to version 4.4.1:

  * Stable bug fix release, mainly codecs and format fixes.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch SUSE-2025-1128=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-1128=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1128=1

  * SUSE Linux Enterprise Server 15 SP4 LTSS  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-1128=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP4  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-1128=1

## Package List:

  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
    * libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    * ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    * libavcodec58_134-4.4.5-150400.3.46.1
    * ffmpeg-4-libavdevice-devel-4.4.5-150400.3.46.1
    * ffmpeg-4-libavresample-devel-4.4.5-150400.3.46.1
    * ffmpeg-4-libswscale-devel-4.4.5-150400.3.46.1
    * libavfilter7_110-debuginfo-4.4.5-150400.3.46.1
    * libavformat58_76-4.4.5-150400.3.46.1
    * libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    * libavresample4_0-4.4.5-150400.3.46.1
    * ffmpeg-4-libswresample-devel-4.4.5-150400.3.46.1
    * libavdevice58_13-debuginfo-4.4.5-150400.3.46.1
    * ffmpeg-4-4.4.5-150400.3.46.1
    * ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    * libswscale5_9-debuginfo-4.4.5-150400.3.46.1
    * libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-4.4.5-150400.3.46.1
    * ffmpeg-4-libavutil-devel-4.4.5-150400.3.46.1
    * libpostproc55_9-4.4.5-150400.3.46.1
    * ffmpeg-4-libpostproc-devel-4.4.5-150400.3.46.1
    * libavfilter7_110-4.4.5-150400.3.46.1
    * ffmpeg-4-libavcodec-devel-4.4.5-150400.3.46.1
    * ffmpeg-4-libavfilter-devel-4.4.5-150400.3.46.1
    * ffmpeg-4-libavformat-devel-4.4.5-150400.3.46.1
    * libswscale5_9-4.4.5-150400.3.46.1
    * libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    * libavdevice58_13-4.4.5-150400.3.46.1
    * libswresample3_9-4.4.5-150400.3.46.1
    * ffmpeg-4-private-devel-4.4.5-150400.3.46.1
    * libavresample4_0-debuginfo-4.4.5-150400.3.46.1
  * openSUSE Leap 15.4 (x86_64)
    * libavresample4_0-32bit-4.4.5-150400.3.46.1
    * libswresample3_9-32bit-debuginfo-4.4.5-150400.3.46.1
    * libavformat58_76-32bit-debuginfo-4.4.5-150400.3.46.1
    * libavresample4_0-32bit-debuginfo-4.4.5-150400.3.46.1
    * libpostproc55_9-32bit-4.4.5-150400.3.46.1
    * libavcodec58_134-32bit-debuginfo-4.4.5-150400.3.46.1
    * libavcodec58_134-32bit-4.4.5-150400.3.46.1
    * libswresample3_9-32bit-4.4.5-150400.3.46.1
    * libswscale5_9-32bit-debuginfo-4.4.5-150400.3.46.1
    * libavdevice58_13-32bit-debuginfo-4.4.5-150400.3.46.1
    * libavformat58_76-32bit-4.4.5-150400.3.46.1
    * libpostproc55_9-32bit-debuginfo-4.4.5-150400.3.46.1
    * libswscale5_9-32bit-4.4.5-150400.3.46.1
    * libavfilter7_110-32bit-debuginfo-4.4.5-150400.3.46.1
    * libavfilter7_110-32bit-4.4.5-150400.3.46.1
    * libavutil56_70-32bit-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-32bit-4.4.5-150400.3.46.1
    * libavdevice58_13-32bit-4.4.5-150400.3.46.1
  * openSUSE Leap 15.4 (aarch64_ilp32)
    * libavresample4_0-64bit-debuginfo-4.4.5-150400.3.46.1
    * libpostproc55_9-64bit-4.4.5-150400.3.46.1
    * libavutil56_70-64bit-4.4.5-150400.3.46.1
    * libavfilter7_110-64bit-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-64bit-debuginfo-4.4.5-150400.3.46.1
    * libswscale5_9-64bit-4.4.5-150400.3.46.1
    * libavfilter7_110-64bit-4.4.5-150400.3.46.1
    * libavdevice58_13-64bit-4.4.5-150400.3.46.1
    * libpostproc55_9-64bit-debuginfo-4.4.5-150400.3.46.1
    * libavcodec58_134-64bit-debuginfo-4.4.5-150400.3.46.1
    * libavresample4_0-64bit-4.4.5-150400.3.46.1
    * libswscale5_9-64bit-debuginfo-4.4.5-150400.3.46.1
    * libavdevice58_13-64bit-debuginfo-4.4.5-150400.3.46.1
    * libavformat58_76-64bit-debuginfo-4.4.5-150400.3.46.1
    * libavcodec58_134-64bit-4.4.5-150400.3.46.1
    * libavutil56_70-64bit-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-64bit-4.4.5-150400.3.46.1
    * libavformat58_76-64bit-4.4.5-150400.3.46.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
    x86_64)
    * libpostproc55_9-4.4.5-150400.3.46.1
    * libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    * ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    * libavcodec58_134-4.4.5-150400.3.46.1
    * libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    * libavformat58_76-4.4.5-150400.3.46.1
    * ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-4.4.5-150400.3.46.1
    * libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-4.4.5-150400.3.46.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
    x86_64)
    * libpostproc55_9-4.4.5-150400.3.46.1
    * libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    * ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    * libavcodec58_134-4.4.5-150400.3.46.1
    * libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    * libavformat58_76-4.4.5-150400.3.46.1
    * ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-4.4.5-150400.3.46.1
    * libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-4.4.5-150400.3.46.1
  * SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
    * libpostproc55_9-4.4.5-150400.3.46.1
    * libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    * ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    * libavcodec58_134-4.4.5-150400.3.46.1
    * libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    * libavformat58_76-4.4.5-150400.3.46.1
    * ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-4.4.5-150400.3.46.1
    * libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-4.4.5-150400.3.46.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
    * libpostproc55_9-4.4.5-150400.3.46.1
    * libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
    * ffmpeg-4-debugsource-4.4.5-150400.3.46.1
    * libavcodec58_134-4.4.5-150400.3.46.1
    * libavformat58_76-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-debuginfo-4.4.5-150400.3.46.1
    * libavformat58_76-4.4.5-150400.3.46.1
    * ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-debuginfo-4.4.5-150400.3.46.1
    * libswresample3_9-4.4.5-150400.3.46.1
    * libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
    * libavutil56_70-4.4.5-150400.3.46.1

## References:

  * https://www.suse.com/security/cve/CVE-2020-22037.html
  * https://www.suse.com/security/cve/CVE-2024-12361.html
  * https://www.suse.com/security/cve/CVE-2024-35368.html
  * https://www.suse.com/security/cve/CVE-2024-36613.html
  * https://www.suse.com/security/cve/CVE-2025-0518.html
  * https://www.suse.com/security/cve/CVE-2025-22919.html
  * https://www.suse.com/security/cve/CVE-2025-22921.html
  * https://www.suse.com/security/cve/CVE-2025-25473.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1186756
  * https://bugzilla.suse.com/show_bug.cgi?id=1202848
  * https://bugzilla.suse.com/show_bug.cgi?id=1215945
  * https://bugzilla.suse.com/show_bug.cgi?id=1219494
  * https://bugzilla.suse.com/show_bug.cgi?id=1229338
  * https://bugzilla.suse.com/show_bug.cgi?id=1230983
  * https://bugzilla.suse.com/show_bug.cgi?id=1234028
  * https://bugzilla.suse.com/show_bug.cgi?id=1235092
  * https://bugzilla.suse.com/show_bug.cgi?id=1236007
  * https://bugzilla.suse.com/show_bug.cgi?id=1237351
  * https://bugzilla.suse.com/show_bug.cgi?id=1237358
  * https://bugzilla.suse.com/show_bug.cgi?id=1237371
  * https://bugzilla.suse.com/show_bug.cgi?id=1237382
  * https://jira.suse.com/browse/PED-10024

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250403/9fd9ce2c/attachment.htm>


More information about the sle-updates mailing list