From 78aef4b1002c515aa2c1a64fea5bb013c9bc86a8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Daniel=20D=C3=ADaz?= Date: Wed, 23 Jul 2025 17:34:35 -0600 Subject: [PATCH] ffmpeg: Ignore two CVEs fixed in 5.0.3 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit These two CVEs were fixed via the 5.0.3 release, and the backported patches that fixed them were subsequently left behind (although not deleted) by dadb16481810 ("ffmpeg: upgrade 5.0.1 -> 5.0.3") * CVE-2022-3109: An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability. * CVE-2022-3341: A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash. `bitbake ffmpeg` reports these two as "Unpatched". Ignore them for now, until the NVD updates the versions where these do not affect anymore. Signed-off-by: Daniel Díaz Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 57bd4c5442..8da11f196d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -90,6 +90,12 @@ CVE_CHECK_IGNORE += "CVE-2025-1373" # bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba CVE_CHECK_IGNORE += "CVE-2022-48434" +# These two vulnerabilities were fixed in 5.0.3 +# bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/2cdddcd6ec90c7a248ffe792d85faa4d89eab9f7 +CVE_CHECK_IGNORE += "CVE-2022-3109" +# bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/481e81be1271ac9a0124ee615700390c2371bd89 +CVE_CHECK_IGNORE += "CVE-2022-3341" + # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 ARM_INSTRUCTION_SET:armv4 = "arm" ARM_INSTRUCTION_SET:armv5 = "arm" -- 2.47.2