[scarthgap,2/8] ffmpeg: fix CVE-2025-1373

Message ID	0ffe159d9a4ee434b4c995e1ca9a85b01e0a5d05.1750176125.git.steve@sakoman.com
State	New
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.215.171, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 2/8] ffmpeg: fix CVE-2025-1373 Date: Tue, 17 Jun 2025 09:04:20 -0700 Message-ID: <0ffe159d9a4ee434b4c995e1ca9a85b01e0a5d05.1750176125.git.steve@sakoman.com> In-Reply-To: <cover.1750176125.git.steve@sakoman.com> References: <cover.1750176125.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,1/8] net-tools: patch CVE-2025-46836 \| expand [scarthgap,1/8] net-tools: patch CVE-2025-46836 [scarthgap,2/8] ffmpeg: fix CVE-2025-1373 [scarthgap,3/8] python3-requests: upgrade 2.32.3 -> 2.32.4 [scarthgap,4/8] scripts/install-buildtools: Update to 5.0.10 [scarthgap,5/8] gcc: Upgrade to GCC 13.4 [scarthgap,6/8] tune-cortexr52: Remove aarch64 for ARM Cortex-R52 [scarthgap,7/8] libpng: Add ptest [scarthgap,8/8] systemd: Rename systemd_v255.21 to systemd_255.21

Message ID

0ffe159d9a4ee434b4c995e1ca9a85b01e0a5d05.1750176125.git.steve@sakoman.com

State

New

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 2/8] ffmpeg: fix CVE-2025-1373
Date: Tue, 17 Jun 2025 09:04:20 -0700
Message-ID: 
 <0ffe159d9a4ee434b4c995e1ca9a85b01e0a5d05.1750176125.git.steve@sakoman.com>
In-Reply-To: <cover.1750176125.git.steve@sakoman.com>
References: <cover.1750176125.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,1/8] net-tools: patch CVE-2025-46836 | expand

Commit Message

Steve Sakoman June 17, 2025, 4:04 p.m. UTC

From: Colin Pinnell McAllister <colin.mcallister@garmin.com>

CVE-2025-1373 does not appear to affect ffmpeg 5.0.3. The CVE has been
marked as "fixed-version".

Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb
index 04356b9932..a789980dde 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb
@@ -55,6 +55,10 @@  SRC_URI[sha256sum] = "3b624649725ecdc565c903ca6643d41f33bd49239922e45c9b1442c63d
 CVE_STATUS[CVE-2023-39018] = "cpe-incorrect: This issue belongs to ffmpeg-cli-wrapper \
 (Java wrapper around the FFmpeg CLI) and not ffmepg itself."
 
+# Introduced: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/19f7dae81ab2c19643b97da7556383ee3f721e78
+# Fixed: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/43be8d07281caca2e88bfd8ee2333633e1fb1a13
+CVE_STATUS[CVE-2025-1373]  = "fixed-version: Vulnerable code not present in any release"
+
 # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
 ARM_INSTRUCTION_SET:armv4 = "arm"
 ARM_INSTRUCTION_SET:armv5 = "arm"

[scarthgap,2/8] ffmpeg: fix CVE-2025-1373

Commit Message

Patch