CVE-2024-35366
Publication date 29 November 2024
Last updated 13 February 2025
Ubuntu priority
FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ffmpeg | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| libav | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 14.04 LTS trusty | Ignored end of ESM support, was needs-triage |
Notes
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-35366
- https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6 (n7.0)
- https://gist.github.com/1047524396/1e72f170d58c2547ebd4db4cdf6cfabf
- https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/sbgdec.c#L389
- https://github.com/FFmpeg/FFmpeg/commit/2c82ab946b8722a3501069e346809288db69e858