From: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Date: Mon, 16 Jun 2025 15:42:02 +0000 (-0500)
Subject: ffmpeg: fix CVE-2025-1373
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99cda92e387ca071c4235c14a137510a4fb481c2;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

ffmpeg: fix CVE-2025-1373

CVE-2025-1373 does not appear to affect ffmpeg 5.0.3. The CVE has been
added to the ignore list.

Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
index 4ae444258f..ae257a3926 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -81,6 +81,11 @@ CVE_CHECK_IGNORE += "CVE-2024-22862"
 # bugfix: https://github.com/FFmpeg/FFmpeg/commit/9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6
 CVE_CHECK_IGNORE += "CVE-2024-7272"
 
+# Vulnerable code not present in any release
+# introduced: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/19f7dae81ab2c19643b97da7556383ee3f721e78
+# bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/43be8d07281caca2e88bfd8ee2333633e1fb1a13
+CVE_CHECK_IGNORE += "CVE-2025-1373"
+
 # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
 ARM_INSTRUCTION_SET:armv4 = "arm"
 ARM_INSTRUCTION_SET:armv5 = "arm"