{"id":"MGASA-2025-0306","summary":"Updated ffmpeg packages fix security vulnerabilities","details":"FFmpeg v.n6.1-3-g466799d4f5 allows an attacker to trigger use of a\nparameter of negative size in the av_samples_set_silence function in\nthelibavutil/samplefmt.c:260:9 component. (CVE-2023-50007)\nFFmpeg v.n6.1-3-g466799d4f5 allows memory consumption when using the\ncolorcorrect filter, in the av_malloc function in libavutil/mem.c:105:9\ncomponent. (CVE-2023-50008)\nImproper handling of input format in tty demuxer of ffmpeg.\n(CVE-2023-6602)\nHls xbin demuxer dos amplification in ffmpeg. (CVE-2023-6604)\nDash playlist ssrf vulnerability in ffmpeg. (CVE-2023-6605)\nFFmpeg version n6.1 was discovered to contain a heap buffer overflow\nvulnerability in the draw_block_rectangle function of\nlibavfilter/vf_codecview.c. This vulnerability allows attackers to cause\nundefined behavior or a Denial of Service (DoS) via crafted input.\n(CVE-2024-31582)\nFFmpeg n6.1.1 has an Out-of-bounds Read via\nlibavcodec/ppc/vp8dsp_altivec.c, static const vec_s8\nh_subpel_filters_outer. (CVE-2024-35367)\nHeap-buffer-overflow write in FFmpeg MDASH resolve_content_path.\n(CVE-2025-59728)\nHeap-buffer-overflow write in FFmpeg EXR dwa_uncompress.\n(CVE-2025-59731, CVE-2025-59732, CVE-2025-59733)\nNull pointer dereference in ffmpeg als decoder (libavcodec/alsdec.c).\n(CVE-2025-7700)\n","modified":"2026-01-30T00:40:35.143181Z","published":"2025-11-21T19:56:16Z","related":["CVE-2023-50007","CVE-2023-50008","CVE-2023-6602","CVE-2023-6604","CVE-2023-6605","CVE-2024-31582","CVE-2024-35367","CVE-2025-59728","CVE-2025-59731","CVE-2025-59732","CVE-2025-59733","CVE-2025-7700"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0306.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34757"},{"type":"REPORT","url":"https://ffmpeg.org/security.html"},{"type":"REPORT","url":"https://lists.debian.org/debian-security-announce/2025/msg00149.html"}],"affected":[{"package":{"name":"ffmpeg","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/ffmpeg?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.1.7-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0306.json"}},{"package":{"name":"ffmpeg","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/ffmpeg?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.1.7-1.mga9.tainted"}]}],"ecosystem_specific":{"section":"tainted"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0306.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}