Published: 29 March 2023
libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).
As of 2023-04-26 there is no public reproducer available for this issue, so there is no way to confirm through vulnerability testing that Xenial and Bionic are vulnerable to this issue. Xenial's version of FFmpeg is 2.8. Upstream has only provided patches for versions 4.4.x, 5.0.x and 5.1.x. Considering that the code for pthread_frame.c (file altered by the patch) and for FFmpeg has changed significantly from version 2.8 to version 4.4.3, applying the 4.4.3 patch is very likely to introduce security issues and regressions. Because of the very intrusive nature of the backport, Xenial and Bionic (at version 3.4) will not be patched for this issue, and will therefore be marked as ignored.
Launchpad, Ubuntu, Debian
(end of standard support)
(end of life, was needed)
(7:5.1.2-1, 5.1.2, 5.0.1, 4.4.3)
upstream: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db (4.4.x)
upstream: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba (5.0.x)
upstream: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda (5.1.x)
upstream: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11 (n6.1-dev)
Severity score breakdown
- https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11 (n6.1-dev)
- https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda (n5.1.2)