diff options
| author | Daniel Díaz <daniel.diaz@sonos.com> | 2025-07-23 17:34:35 -0600 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-07-30 07:47:48 -0700 |
| commit | 875170d8f8e33fd19abd6f492d6449a608a6aea4 (patch) | |
| tree | 8f26c97861b812612f32b795d78c9db94434d7be /meta | |
| parent | 87e1bc09cabe609981d5ee7ea4919755e2072ad9 (diff) | |
| download | poky-875170d8f8e33fd19abd6f492d6449a608a6aea4.tar.gz | |
ffmpeg: Ignore two CVEs fixed in 5.0.3
These two CVEs were fixed via the 5.0.3 release, and the
backported patches that fixed them were subsequently left
behind (although not deleted) by dadb16481810 ("ffmpeg:
upgrade 5.0.1 -> 5.0.3")
* CVE-2022-3109: An issue was discovered in the FFmpeg
package, where vp3_decode_frame in libavcodec/vp3.c lacks
check of the return value of av_malloc() and will cause a
null pointer dereference, impacting availability.
* CVE-2022-3341: A null pointer dereference issue was
discovered in 'FFmpeg' in decode_main_header() function of
libavformat/nutdec.c file. The flaw occurs because the
function lacks check of the return value of
avformat_new_stream() and triggers the null pointer
dereference error, causing an application to crash.
`bitbake ffmpeg` reports these two as "Unpatched".
Ignore them for now, until the NVD updates the versions where
these do not affect anymore.
(From OE-Core rev: 78aef4b1002c515aa2c1a64fea5bb013c9bc86a8)
Signed-off-by: Daniel Díaz <daniel.diaz@sonos.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 57bd4c5442..8da11f196d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | |||
| @@ -90,6 +90,12 @@ CVE_CHECK_IGNORE += "CVE-2025-1373" | |||
| 90 | # bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba | 90 | # bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba |
| 91 | CVE_CHECK_IGNORE += "CVE-2022-48434" | 91 | CVE_CHECK_IGNORE += "CVE-2022-48434" |
| 92 | 92 | ||
| 93 | # These two vulnerabilities were fixed in 5.0.3 | ||
| 94 | # bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/2cdddcd6ec90c7a248ffe792d85faa4d89eab9f7 | ||
| 95 | CVE_CHECK_IGNORE += "CVE-2022-3109" | ||
| 96 | # bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/481e81be1271ac9a0124ee615700390c2371bd89 | ||
| 97 | CVE_CHECK_IGNORE += "CVE-2022-3341" | ||
| 98 | |||
| 93 | # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 | 99 | # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 |
| 94 | ARM_INSTRUCTION_SET:armv4 = "arm" | 100 | ARM_INSTRUCTION_SET:armv4 = "arm" |
| 95 | ARM_INSTRUCTION_SET:armv5 = "arm" | 101 | ARM_INSTRUCTION_SET:armv5 = "arm" |