Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ffmpeg-4 for openSUSE:Factory checked in at 2025-06-10 08:57:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg-4 (Old) and /work/SRC/openSUSE:Factory/.ffmpeg-4.new.19631 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg-4" Tue Jun 10 08:57:46 2025 rev:82 rq:1283411 version:4.4.6 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg-4/ffmpeg-4.changes 2025-06-01 21:36:59.086359937 +0200 +++ /work/SRC/openSUSE:Factory/.ffmpeg-4.new.19631/ffmpeg-4.changes 2025-06-10 08:58:36.654852579 +0200 @@ -1,0 +2,8 @@ +Fri May 30 14:28:05 UTC 2025 - Cliff Zhao <qz...@suse.com> + +- Add ffmpeg-4-CVE-2024-36618.patch: + Backport 7a089ed8 from upstream, avformat/avidec: Fix integer + overflow iff ULONG_MAX < INT64_MAX. + (CVE-2024-36618, bsc#1234020) + +------------------------------------------------------------------- @@ -79,0 +88,2 @@ + avformat/cafdec: dont seek beyond 64bit (CVE-2024-36617, bsc#1234019). + avformat/westwood_vqa: Fix 2g packets (CVE-2024-36616, bsc#1234018). @@ -716,0 +727 @@ + * avcodec/g729_parser: Check channels (CVE-2022-1475, bsc#1198898) New: ---- ffmpeg-4-CVE-2024-36618.patch BETA DEBUG BEGIN: New: - Add ffmpeg-4-CVE-2024-36618.patch: Backport 7a089ed8 from upstream, avformat/avidec: Fix integer BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg-4.spec ++++++ --- /var/tmp/diff_new_pack.BdJeGT/_old 2025-06-10 08:58:37.490887062 +0200 +++ /var/tmp/diff_new_pack.BdJeGT/_new 2025-06-10 08:58:37.494887227 +0200 @@ -141,6 +141,7 @@ Patch28: ffmpeg-4-CVE-2025-25473.patch Patch29: ffmpeg-4-CVE-2025-22921.patch Patch30: ffmpeg-avcodec-libdav1d-don-t-repeatedly-parse-the-same-seq.patch +Patch31: ffmpeg-4-CVE-2024-36618.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.BdJeGT/_old 2025-06-10 08:58:37.546889372 +0200 +++ /var/tmp/diff_new_pack.BdJeGT/_new 2025-06-10 08:58:37.550889537 +0200 @@ -1,5 +1,5 @@ -mtime: 1748629845 -commit: 420e661938e4368d566150fe417d839dd54c1787c020fe7f7bd9c4d6cdcebe6b +mtime: 1749132081 +commit: b0492f21788e3531689b3d71465d576aed32d6c7b6bb7d04a6d851c1c6c6a711 url: https://src.opensuse.org/jengelh/ffmpeg-4 revision: master ++++++ build.specials.obscpio ++++++ ++++++ ffmpeg-4-CVE-2024-36618.patch ++++++ commit 7a089ed8e049e3bfcb22de1250b86f2106060857 Author: Andreas Rheinhardt <andreas.rheinha...@outlook.com> Date: Tue Mar 12 23:23:17 2024 +0100 avformat/avidec: Fix integer overflow iff ULONG_MAX < INT64_MAX Affects many FATE-tests, see https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu Reviewed-by: James Almer <jamr...@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@outlook.com> --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1694,7 +1694,7 @@ int *idx = av_mallocz_array(s->nb_streams, sizeof(*idx)); if (!idx) return AVERROR(ENOMEM); - for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) { + for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) { int64_t max_dts = INT64_MIN / 2; int64_t min_dts = INT64_MAX / 2; int64_t max_buffer = 0;
