@@ -90,6 +90,12 @@ CVE_CHECK_IGNORE += "CVE-2025-1373"
# bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba
CVE_CHECK_IGNORE += "CVE-2022-48434"
+# These two vulnerabilities were fixed in 5.0.3
+# bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/2cdddcd6ec90c7a248ffe792d85faa4d89eab9f7
+CVE_CHECK_IGNORE += "CVE-2022-3109"
+# bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/481e81be1271ac9a0124ee615700390c2371bd89
+CVE_CHECK_IGNORE += "CVE-2022-3341"
+
# Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
ARM_INSTRUCTION_SET:armv4 = "arm"
ARM_INSTRUCTION_SET:armv5 = "arm"
These two CVEs were fixed via the 5.0.3 release, and the backported patches that fixed them were subsequently left behind (although not deleted) by dadb16481810 ("ffmpeg: upgrade 5.0.1 -> 5.0.3") * CVE-2022-3109: An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability. * CVE-2022-3341: A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash. `bitbake ffmpeg` reports these two as "Unpatched". Ignore them for now, until the NVD updates the versions where these do not affect anymore. Signed-off-by: Daniel Díaz <daniel.diaz@sonos.com> --- meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 6 ++++++ 1 file changed, 6 insertions(+)