|
|
Subscribe / Log in / New account

Ubuntu alert USN-7823-1 (ffmpeg)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-7823-1] FFmpeg vulnerabilities


Date:
              Wed, 15 Oct 2025 22:12:02 +0000


Message-ID:
              <E1v99j0-0005nT-4r@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-7823-1
October 15, 2025

ffmpeg vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in FFmpeg.

Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files

Details:

It was discovered that FFmpeg did not correctly handle certain memory
operations. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2024-35365)

It was discovered that FFmpeg did not correctly handle certain integer
calculations. An attacker could possibly use this issue to cause a denial
of service. (CVE-2024-35366)

It was discovered that FFmpeg may perform an out-of-bounds read under
certain circumstances. An attacker could possibly use this issue to cause
a denial of service. (CVE-2024-35367)

It was discovered that FFmpeg did not correctly handle certain memory
operations. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2024-35368)

It was discovered that FFmpeg did not correctly handle certain inputs,
which could lead to an integer overflow. An attacker could possibly use
this issue to cause a denial of service or execute arbitrary code.
(CVE-2024-36613, CVE-2024-36616, CVE-2024-36618)

It was discovered that FFmpeg did not correctly handle certain inputs,
which could lead to an integer overflow. An attacker could possibly use
this issue to cause a denial of service or execute arbitrary code. This
issue only affected Ubuntu 24.04 LTS. (CVE-2024-36619)

It was discovered that FFmpeg did not correctly handle certain memory
operations. A remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue only affected
Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-7055)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  ffmpeg                          7:6.1.1-3ubuntu5+esm5
                                  Available with Ubuntu Pro
  libavcodec-dev                  7:6.1.1-3ubuntu5+esm5
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  ffmpeg                          7:4.4.2-0ubuntu0.22.04.1+esm9
                                  Available with Ubuntu Pro
  libavcodec-dev                  7:4.4.2-0ubuntu0.22.04.1+esm9
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  ffmpeg                          7:4.2.7-0ubuntu0.1+esm10
                                  Available with Ubuntu Pro
  libavcodec-dev                  7:4.2.7-0ubuntu0.1+esm10
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  ffmpeg                          7:3.4.11-0ubuntu0.1+esm10
                                  Available with Ubuntu Pro
  libavcodec-dev                  7:3.4.11-0ubuntu0.1+esm10
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  ffmpeg                          7:2.8.17-0ubuntu0.1+esm12
                                  Available with Ubuntu Pro
  libavcodec-dev                  7:2.8.17-0ubuntu0.1+esm12
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7823-1
  CVE-2024-35365, CVE-2024-35366, CVE-2024-35367, CVE-2024-35368,
  CVE-2024-36613, CVE-2024-36616, CVE-2024-36618, CVE-2024-36619,
  CVE-2024-7055




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmjwGmMACgkQcpJm3tlz
hgHqjxAAlsvPuFfLvT5Ph54HrbWMsPPOZzyitxaDNdZXta/kScLe6apTmK+Z3eeg
IJ2AI4S57Tcu/xNAtwfcIwi+ORWPBrHNFTM8yAM4sLGVs3r23zdFKAN0/VUP2vdI
AoRbkkWOl/17iO89QZ1ikammuOUHyut10fM7SUS/JZGFHyvK+ncR8tYofIXQEIxZ
LU5zOzYU7Bf8HBHCEdAjSIrX5iEcS8pqQsoMMaNIA1h2i8He7KsDJmijqZZ9rXaF
Dx1sI2tIFOmU/a8VcUwOZCdQezEVSt+CylBuKZNNO+MslP0KX8JE69eKvOkeMl/i
noqikCwZI32N8IzBpQLpN8U64gLfiTJ4tdg1C+m4pjTdGdg7QNx8sD3d2yHw1PNB
oOiGjFAdzdnA7gvEBMjfsAjB5UJx9rL1gJVStJpcxLh5MWRaaq09dOFU9vKsEY9r
3+A3ggeW8IYA46hAz5bg6MU+vmmK0rm7nJK2BFR7MpQfFKSM8NLFavktZlR6PxZY
eVLmouYk/N3/rFD+wNbh2Gr2nHVvqMqIohefDMsVmc7KefcLRwj7xCZUSbzQ6SDq
+X+4sXFzrFtBPnmF6SCFzEBiIKbkpYOXuLI/AWzjB8E5IoxLl8qR4ONHafHwio5b
I9n5s4Qkc39goKU65Ve/S5AcIs+JkACTwphAN0sFeibrSdcXELM=
=K0Zp
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds