SUSE-SU-2025:1128-1: important: Security update for ffmpeg-4
SLE-UPDATES
null at suse.de
Thu Apr 3 12:30:25 UTC 2025
# Security update for ffmpeg-4
Announcement ID: SUSE-SU-2025:1128-1
Release Date: 2025-04-03T11:54:06Z
Rating: important
References:
* bsc#1186756
* bsc#1202848
* bsc#1215945
* bsc#1219494
* bsc#1229338
* bsc#1230983
* bsc#1234028
* bsc#1235092
* bsc#1236007
* bsc#1237351
* bsc#1237358
* bsc#1237371
* bsc#1237382
* jsc#PED-10024
Cross-References:
* CVE-2020-22037
* CVE-2024-12361
* CVE-2024-35368
* CVE-2024-36613
* CVE-2025-0518
* CVE-2025-22919
* CVE-2025-22921
* CVE-2025-25473
CVSS scores:
* CVE-2020-22037 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2020-22037 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2024-12361 ( SUSE ): 5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2024-12361 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-35368 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2024-35368 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-35368 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-36613 ( SUSE ): 4.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2024-36613 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
* CVE-2024-36613 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-0518 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-0518 ( NVD ): 4.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-22919 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-22919 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2025-22919 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-22921 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-22921 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2025-22921 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-25473 ( SUSE ): 0.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-25473 ( SUSE ): 0.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N
* CVE-2025-25473 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
An update that solves eight vulnerabilities, contains one feature and has five
security fixes can now be installed.
## Description:
This update for ffmpeg-4 fixes the following issues:
* CVE-2020-22037: Fixed unchecked return value of the init_vlc function
(bsc#1186756)
* CVE-2024-12361: Fixed null pointer dereference (bsc#1237358)
* CVE-2024-35368: Fixed double free via the rkmpp_retrieve_frame function
within libavcodec/rkmppdec.c (bsc#1234028)
* CVE-2024-36613: Fixed integer overflow in the DXA demuxer of the libavformat
library (bsc#1235092)
* CVE-2025-0518: Fixed memory leak due to unchecked sscanf return value
(bsc#1236007)
* CVE-2025-22919: Fixed denial of service (DoS) via opening a crafted AAC file
(bsc#1237371)
* CVE-2025-22921: Fixed segmentation violation in NULL pointer dereference via
the component /libavcodec/jpeg2000dec.c (bsc#1237382)
* CVE-2025-25473: Fixed memory leak in avformat_free_context() (bsc#1237351)
Other fixes:
* Build with SVT-AV1 3.0.0.
* Update to release 4.4.5:
* Adjust bconds to build the package in SLFO without xvidcore.
* Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch
(bsc#1229338)
* Add ffmpeg-c99.patch so that the package conforms to the C99 standard and
builds on i586 with GCC 14.
* No longer build against libmfx; build against libvpl (bsc#1230983,
bsc#1219494)
* Drop libmfx dependency from our product (jira #PED-10024)
* Update patch to build with glslang 14
* Disable vmaf integration as ffmpeg-4 cannot handle vmaf>=3
* Copy codec list from ffmpeg-6
* Resolve build failure with binutils >= 2.41. (bsc#1215945)
* Update to version 4.4.4:
* avcodec/012v: Order operations for odd size handling
* avcodec/alsdec: The minimal block is at least 7 bits
* avcodec/bink:
* Avoid undefined out of array end pointers in
binkb_decode_plane()
* Fix off by 1 error in ref end
* avcodec/eac3dec: avoid float noise in fixed mode addition to
overflow
* avcodec/eatgq: : Check index increments in tgq_decode_block()
* avcodec/escape124:
* Fix signdness of end of input check
* Fix some return codes
* avcodec/ffv1dec:
* Check that num h/v slices is supported
* Fail earlier if prior context is corrupted
* Restructure slice coordinate reading a bit
* avcodec/mjpegenc: take into account component count when
writing the SOF header size
* avcodec/mlpdec: Check max matrix instead of max channel in
noise check
* avcodec/motionpixels: Mask pixels to valid values
* avcodec/mpeg12dec: Check input size
* avcodec/nvenc:
* Fix b-frame DTS behavior with fractional framerates
* Fix vbv buffer size in cq mode
* avcodec/pictordec: Remove mid exit branch
* avcodec/pngdec: Check deloco index more exactly
* avcodec/rpzaenc: stop accessing out of bounds frame
* avcodec/scpr3: Check bx
* avcodec/scpr: Test bx before use
* avcodec/snowenc: Fix visual weight calculation
* avcodec/speedhq: Check buf_size to be big enough for DC
* avcodec/sunrast: Fix maplength check
* avcodec/tests/snowenc:
* Fix 2nd test
* Return a failure if DWT/IDWT mismatches
* Unbreak DWT tests
* avcodec/tiff: Ignore tile_count
* avcodec/utils:
* Allocate a line more for VC1 and WMV3
* Ensure linesize for SVQ3
* Use 32pixel alignment for bink
* avcodec/videodsp_template: Adjust pointers to avoid undefined
pointer things
* avcodec/vp3: Add missing check for av_malloc
* avcodec/wavpack:
* Avoid undefined shift in get_tail()
* Check for end of input in wv_unpack_dsd_high()
* avcodec/xpmdec: Check size before allocation to avoid
truncation
* avfilter/vf_untile: swap the chroma shift values used for plane
offsets
* avformat/id3v2: Check taglen in read_uslt()
* avformat/mov: Check samplesize and offset to avoid integer
overflow
* avformat/mxfdec: Use 64bit in remainder
* avformat/nutdec: Add check for avformat_new_stream
* avformat/replaygain: avoid undefined / negative abs
* swscale/input: Use more unsigned intermediates
* swscale/output: Bias 16bps output calculations to improve non
overflowing range
* swscale: aarch64: Fix yuv2rgb with negative stride
* Use https for repository links
* Update to version 4.4.3:
* Stable bug fix release, mainly codecs, filter and format fixes.
* Add patch to detect SDL2 >= 2.1.0 (bsc#1202848):
* Update to version 4.4.2:
* Stable bug fix release, mainly codecs, filter and format fixes.
* Add conflicts for ffmpeg-5's tools
* Enable Vulkan filters
* Fix OS version check, so nvcodec is enabled for Leap too.
* Disamble libsmbclient usage (can always be built with
\--with-smbclient): the usecase of ffmpeg directly accessing
smb:// shares is quite constructed (most users will have their
smb shares mounted).
* Update to version 4.4.1:
* Stable bug fix release, mainly codecs and format fixes.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-1128=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-1128=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1128=1
* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-1128=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-1128=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
* ffmpeg-4-debugsource-4.4.5-150400.3.46.1
* libavcodec58_134-4.4.5-150400.3.46.1
* ffmpeg-4-libavdevice-devel-4.4.5-150400.3.46.1
* ffmpeg-4-libavresample-devel-4.4.5-150400.3.46.1
* ffmpeg-4-libswscale-devel-4.4.5-150400.3.46.1
* libavfilter7_110-debuginfo-4.4.5-150400.3.46.1
* libavformat58_76-4.4.5-150400.3.46.1
* libavutil56_70-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-debuginfo-4.4.5-150400.3.46.1
* libavresample4_0-4.4.5-150400.3.46.1
* ffmpeg-4-libswresample-devel-4.4.5-150400.3.46.1
* libavdevice58_13-debuginfo-4.4.5-150400.3.46.1
* ffmpeg-4-4.4.5-150400.3.46.1
* ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
* libswscale5_9-debuginfo-4.4.5-150400.3.46.1
* libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-4.4.5-150400.3.46.1
* ffmpeg-4-libavutil-devel-4.4.5-150400.3.46.1
* libpostproc55_9-4.4.5-150400.3.46.1
* ffmpeg-4-libpostproc-devel-4.4.5-150400.3.46.1
* libavfilter7_110-4.4.5-150400.3.46.1
* ffmpeg-4-libavcodec-devel-4.4.5-150400.3.46.1
* ffmpeg-4-libavfilter-devel-4.4.5-150400.3.46.1
* ffmpeg-4-libavformat-devel-4.4.5-150400.3.46.1
* libswscale5_9-4.4.5-150400.3.46.1
* libavformat58_76-debuginfo-4.4.5-150400.3.46.1
* libavdevice58_13-4.4.5-150400.3.46.1
* libswresample3_9-4.4.5-150400.3.46.1
* ffmpeg-4-private-devel-4.4.5-150400.3.46.1
* libavresample4_0-debuginfo-4.4.5-150400.3.46.1
* openSUSE Leap 15.4 (x86_64)
* libavresample4_0-32bit-4.4.5-150400.3.46.1
* libswresample3_9-32bit-debuginfo-4.4.5-150400.3.46.1
* libavformat58_76-32bit-debuginfo-4.4.5-150400.3.46.1
* libavresample4_0-32bit-debuginfo-4.4.5-150400.3.46.1
* libpostproc55_9-32bit-4.4.5-150400.3.46.1
* libavcodec58_134-32bit-debuginfo-4.4.5-150400.3.46.1
* libavcodec58_134-32bit-4.4.5-150400.3.46.1
* libswresample3_9-32bit-4.4.5-150400.3.46.1
* libswscale5_9-32bit-debuginfo-4.4.5-150400.3.46.1
* libavdevice58_13-32bit-debuginfo-4.4.5-150400.3.46.1
* libavformat58_76-32bit-4.4.5-150400.3.46.1
* libpostproc55_9-32bit-debuginfo-4.4.5-150400.3.46.1
* libswscale5_9-32bit-4.4.5-150400.3.46.1
* libavfilter7_110-32bit-debuginfo-4.4.5-150400.3.46.1
* libavfilter7_110-32bit-4.4.5-150400.3.46.1
* libavutil56_70-32bit-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-32bit-4.4.5-150400.3.46.1
* libavdevice58_13-32bit-4.4.5-150400.3.46.1
* openSUSE Leap 15.4 (aarch64_ilp32)
* libavresample4_0-64bit-debuginfo-4.4.5-150400.3.46.1
* libpostproc55_9-64bit-4.4.5-150400.3.46.1
* libavutil56_70-64bit-4.4.5-150400.3.46.1
* libavfilter7_110-64bit-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-64bit-debuginfo-4.4.5-150400.3.46.1
* libswscale5_9-64bit-4.4.5-150400.3.46.1
* libavfilter7_110-64bit-4.4.5-150400.3.46.1
* libavdevice58_13-64bit-4.4.5-150400.3.46.1
* libpostproc55_9-64bit-debuginfo-4.4.5-150400.3.46.1
* libavcodec58_134-64bit-debuginfo-4.4.5-150400.3.46.1
* libavresample4_0-64bit-4.4.5-150400.3.46.1
* libswscale5_9-64bit-debuginfo-4.4.5-150400.3.46.1
* libavdevice58_13-64bit-debuginfo-4.4.5-150400.3.46.1
* libavformat58_76-64bit-debuginfo-4.4.5-150400.3.46.1
* libavcodec58_134-64bit-4.4.5-150400.3.46.1
* libavutil56_70-64bit-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-64bit-4.4.5-150400.3.46.1
* libavformat58_76-64bit-4.4.5-150400.3.46.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* libpostproc55_9-4.4.5-150400.3.46.1
* libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
* ffmpeg-4-debugsource-4.4.5-150400.3.46.1
* libavcodec58_134-4.4.5-150400.3.46.1
* libavformat58_76-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-debuginfo-4.4.5-150400.3.46.1
* libavformat58_76-4.4.5-150400.3.46.1
* ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-4.4.5-150400.3.46.1
* libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-4.4.5-150400.3.46.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* libpostproc55_9-4.4.5-150400.3.46.1
* libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
* ffmpeg-4-debugsource-4.4.5-150400.3.46.1
* libavcodec58_134-4.4.5-150400.3.46.1
* libavformat58_76-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-debuginfo-4.4.5-150400.3.46.1
* libavformat58_76-4.4.5-150400.3.46.1
* ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-4.4.5-150400.3.46.1
* libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-4.4.5-150400.3.46.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* libpostproc55_9-4.4.5-150400.3.46.1
* libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
* ffmpeg-4-debugsource-4.4.5-150400.3.46.1
* libavcodec58_134-4.4.5-150400.3.46.1
* libavformat58_76-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-debuginfo-4.4.5-150400.3.46.1
* libavformat58_76-4.4.5-150400.3.46.1
* ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-4.4.5-150400.3.46.1
* libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-4.4.5-150400.3.46.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* libpostproc55_9-4.4.5-150400.3.46.1
* libpostproc55_9-debuginfo-4.4.5-150400.3.46.1
* ffmpeg-4-debugsource-4.4.5-150400.3.46.1
* libavcodec58_134-4.4.5-150400.3.46.1
* libavformat58_76-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-debuginfo-4.4.5-150400.3.46.1
* libavformat58_76-4.4.5-150400.3.46.1
* ffmpeg-4-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-debuginfo-4.4.5-150400.3.46.1
* libswresample3_9-4.4.5-150400.3.46.1
* libavcodec58_134-debuginfo-4.4.5-150400.3.46.1
* libavutil56_70-4.4.5-150400.3.46.1
## References:
* https://www.suse.com/security/cve/CVE-2020-22037.html
* https://www.suse.com/security/cve/CVE-2024-12361.html
* https://www.suse.com/security/cve/CVE-2024-35368.html
* https://www.suse.com/security/cve/CVE-2024-36613.html
* https://www.suse.com/security/cve/CVE-2025-0518.html
* https://www.suse.com/security/cve/CVE-2025-22919.html
* https://www.suse.com/security/cve/CVE-2025-22921.html
* https://www.suse.com/security/cve/CVE-2025-25473.html
* https://bugzilla.suse.com/show_bug.cgi?id=1186756
* https://bugzilla.suse.com/show_bug.cgi?id=1202848
* https://bugzilla.suse.com/show_bug.cgi?id=1215945
* https://bugzilla.suse.com/show_bug.cgi?id=1219494
* https://bugzilla.suse.com/show_bug.cgi?id=1229338
* https://bugzilla.suse.com/show_bug.cgi?id=1230983
* https://bugzilla.suse.com/show_bug.cgi?id=1234028
* https://bugzilla.suse.com/show_bug.cgi?id=1235092
* https://bugzilla.suse.com/show_bug.cgi?id=1236007
* https://bugzilla.suse.com/show_bug.cgi?id=1237351
* https://bugzilla.suse.com/show_bug.cgi?id=1237358
* https://bugzilla.suse.com/show_bug.cgi?id=1237371
* https://bugzilla.suse.com/show_bug.cgi?id=1237382
* https://jira.suse.com/browse/PED-10024
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250403/9fd9ce2c/attachment.htm>
More information about the sle-updates
mailing list