An update for ffmpeg is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1017 Final 1.0 1.0 2025-01-10 Initial 2025-01-10 2025-01-10 openEuler SA Tool V1.0 2025-01-10 ffmpeg security update An update for ffmpeg is now available for openEuler-24.03-LTS FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash. Security Fix(es): In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process.(CVE-2024-35369) FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavcodec library which allows for an integer overflow when handling certain block types, leading to a denial-of-service (DoS) condition.(CVE-2024-36619) An update for ffmpeg is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium ffmpeg https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1017 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-35369 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-36619 https://nvd.nist.gov/vuln/detail/CVE-2024-35369 https://nvd.nist.gov/vuln/detail/CVE-2024-36619 openEuler-24.03-LTS ffmpeg-6.1.1-18.oe2403.aarch64.rpm ffmpeg-debuginfo-6.1.1-18.oe2403.aarch64.rpm ffmpeg-debugsource-6.1.1-18.oe2403.aarch64.rpm ffmpeg-devel-6.1.1-18.oe2403.aarch64.rpm ffmpeg-libs-6.1.1-18.oe2403.aarch64.rpm libavdevice-6.1.1-18.oe2403.aarch64.rpm ffmpeg-6.1.1-18.oe2403.src.rpm ffmpeg-6.1.1-18.oe2403.x86_64.rpm ffmpeg-debuginfo-6.1.1-18.oe2403.x86_64.rpm ffmpeg-debugsource-6.1.1-18.oe2403.x86_64.rpm ffmpeg-devel-6.1.1-18.oe2403.x86_64.rpm ffmpeg-libs-6.1.1-18.oe2403.x86_64.rpm libavdevice-6.1.1-18.oe2403.x86_64.rpm In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process. 2025-01-10 CVE-2024-35369 openEuler-24.03-LTS Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ffmpeg security update 2025-01-10 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1017 FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavcodec library which allows for an integer overflow when handling certain block types, leading to a denial-of-service (DoS) condition. 2025-01-10 CVE-2024-36619 openEuler-24.03-LTS Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L ffmpeg security update 2025-01-10 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1017