Thanks for the prompt and quick reply. Classification: Internal
Disclaimer: This email and any attachments are the property of USAA and may contain confidential and/or privileged material. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is unauthorized. If you received this email in error, please immediately notify the sender and delete the email and any attachments from your computer. -----Original Message----- From: ffmpeg-user <[email protected]> On Behalf Of Moritz Barsnick Sent: Thursday, January 6, 2022 10:07 AM To: FFmpeg user discussions <[email protected]> Subject: EXTERNAL: Re: [FFmpeg-user] ffmpeg 4.4.1 security issue On Thu, Jan 06, 2022 at 13:12:51 +0000, FFmpeg user discussions wrote: > I am currently a data scientist at USAA. I was trying to use FFMPEG 4.4.1 to > convert spex audio files to wav audio format. > > My security team denied the download of the package, and here is the > following explanation that they gave: > DOWNLOAD DENIED: Muliple known vulnerabilities like CVE-2021-38171 I > was wondering how I can get this fixed or if it is already fixed in a later > version? The fix is mentioned in the CVE (https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2021-38171__;!!GryZGb6B1VCs0SfC!STlY1eVFcY7A-cEivbXk3VLtyrGJo5LDgP5i-zHeUlfLdy3k6v7Aff7siDm3Ovc$ ): https://urldefense.com/v3/__https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6__;!!GryZGb6B1VCs0SfC!STlY1eVFcY7A-cEivbXk3VLtyrGJo5LDgP5i-zHeUlfLdy3k6v7Aff7s9JRqjaI$ It was ported to the 4.4 branch here: https://urldefense.com/v3/__https://github.com/FFmpeg/FFmpeg/commit/fb993619d1035fa9646506925ea70fb122038999__;!!GryZGb6B1VCs0SfC!STlY1eVFcY7A-cEivbXk3VLtyrGJo5LDgP5i-zHeUlfLdy3k6v7Aff7skNLv9qM$ and that is contained in release 4.4.1, as far as I can tell (by "git tag --contains fb993619d1035fa9646506925ea70fb122038999"). So the CVE refers to version 4.4, and version 4.4.1 fixes this and is therefore not affected, AFAICT. You'll have to have your security team check 4.4.1. You may need to check each CVE separately (they mention "multiple known vulnerabilities"). If in doubt, disable the affected feature (as in this case: the ADTS muxer). Hope this helps, Moritz _______________________________________________ ffmpeg-user mailing list [email protected] https://urldefense.com/v3/__https://ffmpeg.org/mailman/listinfo/ffmpeg-user__;!!GryZGb6B1VCs0SfC!STlY1eVFcY7A-cEivbXk3VLtyrGJo5LDgP5i-zHeUlfLdy3k6v7Aff7sZ4BzvzY$ To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe". _______________________________________________ ffmpeg-user mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-user To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
