openSUSE Security Update: Security update for ffmpeg2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:1433-1 Rating: moderate References: #1015120 #1022920 #1022921 #1022922 #1034176 #1034177 #1034179 Cross-References: CVE-2016-10190 CVE-2016-10191 CVE-2016-10192 CVE-2016-9561 CVE-2017-7863 CVE-2017-7865 CVE-2017-7866 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for ffmpeg2 fixes security issues, bugs, and enables AC3 and MP3 decoding. The following vulnerabilities were fixed: - CVE-2017-7863: heap-based buffer overflow (bsc#1034179) - CVE-2017-7865: heap-based buffer overflow (bsc#1034177) - CVE-2017-7866: stack-based buffer overflow (bsc#1034176) - CVE-2016-10191: remote code execution (bsc#1022921) - CVE-2016-10190: remote code execution (bsc#1022920) - CVE-2016-10192: remote code execution (bsc#1022922) - CVE-2016-9561: Huge amount memory allocated, resulting in DoS of ffmpeg (bsc#1015120) The following functionality was added: - Enable AC3 and MP3 decoding ffmpeg was updated to 2.8.11, containing a number of upstream improvements and fixes. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-631=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): ffmpeg2-debugsource-2.8.11-25.3.1 ffmpeg2-devel-2.8.11-25.3.1 libavcodec56-2.8.11-25.3.1 libavcodec56-debuginfo-2.8.11-25.3.1 libavdevice56-2.8.11-25.3.1 libavdevice56-debuginfo-2.8.11-25.3.1 libavfilter5-2.8.11-25.3.1 libavfilter5-debuginfo-2.8.11-25.3.1 libavformat56-2.8.11-25.3.1 libavformat56-debuginfo-2.8.11-25.3.1 libavresample2-2.8.11-25.3.1 libavresample2-debuginfo-2.8.11-25.3.1 libavutil54-2.8.11-25.3.1 libavutil54-debuginfo-2.8.11-25.3.1 libpostproc53-2.8.11-25.3.1 libpostproc53-debuginfo-2.8.11-25.3.1 libswresample1-2.8.11-25.3.1 libswresample1-debuginfo-2.8.11-25.3.1 libswscale3-2.8.11-25.3.1 libswscale3-debuginfo-2.8.11-25.3.1 - openSUSE Leap 42.2 (x86_64): libavcodec56-32bit-2.8.11-25.3.1 libavcodec56-debuginfo-32bit-2.8.11-25.3.1 libavdevice56-32bit-2.8.11-25.3.1 libavdevice56-debuginfo-32bit-2.8.11-25.3.1 libavfilter5-32bit-2.8.11-25.3.1 libavfilter5-debuginfo-32bit-2.8.11-25.3.1 libavformat56-32bit-2.8.11-25.3.1 libavformat56-debuginfo-32bit-2.8.11-25.3.1 libavresample2-32bit-2.8.11-25.3.1 libavresample2-debuginfo-32bit-2.8.11-25.3.1 libavutil54-32bit-2.8.11-25.3.1 libavutil54-debuginfo-32bit-2.8.11-25.3.1 libpostproc53-32bit-2.8.11-25.3.1 libpostproc53-debuginfo-32bit-2.8.11-25.3.1 libswresample1-32bit-2.8.11-25.3.1 libswresample1-debuginfo-32bit-2.8.11-25.3.1 libswscale3-32bit-2.8.11-25.3.1 libswscale3-debuginfo-32bit-2.8.11-25.3.1 References: https://www.suse.com/security/cve/CVE-2016-10190.html https://www.suse.com/security/cve/CVE-2016-10191.html https://www.suse.com/security/cve/CVE-2016-10192.html https://www.suse.com/security/cve/CVE-2016-9561.html https://www.suse.com/security/cve/CVE-2017-7863.html https://www.suse.com/security/cve/CVE-2017-7865.html https://www.suse.com/security/cve/CVE-2017-7866.html https://bugzilla.suse.com/1015120 https://bugzilla.suse.com/1022920 https://bugzilla.suse.com/1022921 https://bugzilla.suse.com/1022922 https://bugzilla.suse.com/1034176 https://bugzilla.suse.com/1034177 https://bugzilla.suse.com/1034179