Ubuntu alert USN-7830-1 (ffmpeg)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7830-1] FFmpeg vulnerabilities | |
| Date: | Tue, 21 Oct 2025 17:14:41 +0000 | |
| Message-ID: | <E1vBFwX-0000id-QD@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-7830-1 October 21, 2025 ffmpeg vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in FFmpeg. Software Description: - ffmpeg: Tools for transcoding, streaming and playing of multimedia files Details: It was discovered that FFmpeg incorrectly handled the return values of functions in its Firequalizer filter and in the HTTP Live Streaming (HLS) implementation, leading to a NULL pointer dereference. If a user was tricked into loading a crafted media file, a remote attacker could possibly use this issue to make FFmpeg crash, resulting in a denial of service. (CVE-2023-6603, CVE-2025-10256) It was discovered that FFmpeg did not enforce an input format before triggering the HTTP demuxer. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery (SSRF) attack. (CVE-2025-6605) It was discovered that FFmpeg incorrectly handled memory allocation in the ALS audio decoder. If a user was tricked into loading a crafted media file, a remote attacker could possibly use this issue to make FFmpeg crash, resulting in a denial of service. (CVE-2025-7700) It was discovered that FFmpeg incorrectly handled memory in the JPEG 2000 decoder, which could lead to a heap buffer overflow. If a user or application were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or leak sensitive information. (CVE-2025-9951) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS ffmpeg 7:6.1.1-3ubuntu5+esm6 Available with Ubuntu Pro libavcodec60 7:6.1.1-3ubuntu5+esm6 Available with Ubuntu Pro libavformat60 7:6.1.1-3ubuntu5+esm6 Available with Ubuntu Pro Ubuntu 22.04 LTS ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm10 Available with Ubuntu Pro libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm10 Available with Ubuntu Pro libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm10 Available with Ubuntu Pro Ubuntu 20.04 LTS ffmpeg 7:4.2.7-0ubuntu0.1+esm11 Available with Ubuntu Pro libavcodec58 7:4.2.7-0ubuntu0.1+esm11 Available with Ubuntu Pro libavformat58 7:4.2.7-0ubuntu0.1+esm11 Available with Ubuntu Pro Ubuntu 18.04 LTS ffmpeg 7:3.4.11-0ubuntu0.1+esm11 Available with Ubuntu Pro libavcodec57 7:3.4.11-0ubuntu0.1+esm11 Available with Ubuntu Pro libavformat57 7:3.4.11-0ubuntu0.1+esm11 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7830-1 CVE-2023-6603, CVE-2023-6605, CVE-2025-10256, CVE-2025-7700, CVE-2025-9951
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmj3oiUACgkQcpJm3tlz hgEv5g/+OQUymsp9pYiyc/xJuP9VjNHFk9tAQPCtyXCON7N/D5dWcji67b2xhhxD +3dQvYGkvDOmVCju4CRLiRktW5AxUjWVhAS+p3ZsJTPt7uQb+LPLv4meoiFTWonl K2YysidQU0+nhsqu9tCYO+guWoECdCNW4aZjilVxAjJnZZgnVCh9gdvc6gPEYwPk udJV9Jpv22VYdDQrb3qJEZPaeri+Okh3+bRS6OhpTxqRaR5aNOV9bLKoYXxXtDa3 +6cC4xCWycQId/WDccb4Vw/M+ihkiqEImKPhaHzD379Dy5uusPNVJqlO9SzhI5pL Ll2sksEhm/Gm1LIcPRNdqKZaoHhBk06h/JCiKC3WB91rcRz4rPEWfDWuTdORjBl4 oyODtxAJ8+qiRsIY5pP83wl4jmnGPe9wadGg0NnoZEo3EH2mkcf/beYq/Uz6QeaN Y/1e6cuN3smyEp//5bNLY9MaIZgGFvWYc3WKNM8rQlPEQxHdwLqSmLe5oDDqj1pz De5M3Cwz4vRaGF57u87IgDB/+0gkexB0GofTC15Bu0/li99VpCB4yKl14qMNjimU QuE5UC7nHTMoviaDjrG0y0kZ0td3361MqHpsnVzBxZnF76EuZo3zWfs57UWipi0a hm0OuXvpmDL/ENCHnIk46UJ1SxjdJ3R+0bEKDAcGLkPtM9ZCTzo= =uPLY -----END PGP SIGNATURE-----