[Git][security-tracker-team/security-tracker][master] 5 commits: Track fix for CVE-2025-1594/ffmpeg for bookworm's version

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Dec 17 05:00:22 GMT 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b8ffdab5 by Carlos Henrique Lima Melara at 2025-12-17T00:33:11-03:00
Track fix for CVE-2025-1594/ffmpeg for bookworm's version

DSA-6079-1 fixed it.

- - - - -
572b171d by Carlos Henrique Lima Melara at 2025-12-17T00:33:40-03:00
Track fix for CVE-2024-36618/ffmpeg for bookworm's version

DSA-6079-1 fixed it.

- - - - -
04f34f69 by Carlos Henrique Lima Melara at 2025-12-17T00:34:01-03:00
Track fixed versions in unstable, trixie and bookworm for CVE-2025-9951

Also add links to the upstream fixes in LTS branches and link to the
corresponding DSAs fixing it in each suite.

- - - - -
9aa94ed6 by Carlos Henrique Lima Melara at 2025-12-17T00:34:45-03:00
Update information on CVE-2025-5973{1,2,3}/ffmpeg, bullseye not-affected

- - - - -
4a00cdb9 by Salvatore Bonaccorso at 2025-12-17T06:00:12+01:00
Merge branch 'update-ffmpeg-triaging' into 'master'

Update triaging of ffmpeg CVEs

See merge request security-tracker-team/security-tracker!251
- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -24402,7 +24402,9 @@ CVE-2025-59734 (It is possible to cause an use-after-free write in SANM decoding
 CVE-2025-59733 (When decoding an OpenEXR file that uses DWAA or DWAB compression, ther ...)
 	{DSA-6007-1 DSA-5985-1}
 	- ffmpeg 7:7.1.2-1
+	[bullseye] - ffmpeg <not-affected> (Vulnerable code introduced in version 4.4)
 	NOTE: https://issuetracker.google.com/issues/436511754
+	NOTE: Introduced in: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc85ca1cb347570a95d8615b7d4c7b542042b7f0 (n4.4)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/0469d68acb52081ca8385b844b9650398242be0f (master)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/de76fb27a6e6da0431154ce9093933281a38a889 (n8.0)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/a9ec8317498b62192cc3df95ef2523eae8ec0294 (n7.1.2)
@@ -24411,7 +24413,9 @@ CVE-2025-59733 (When decoding an OpenEXR file that uses DWAA or DWAB compression
 CVE-2025-59732 (When decoding an OpenEXR file that uses DWAA or DWAB compression, ther ...)
 	{DSA-6007-1 DSA-5985-1}
 	- ffmpeg 7:7.1.2-1
+	[bullseye] - ffmpeg <not-affected> (Vulnerable code introduced in version 4.4)
 	NOTE: https://issuetracker.google.com/issues/436510316
+	NOTE: Introduced in: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc85ca1cb347570a95d8615b7d4c7b542042b7f0 (n4.4)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/f45da79b2c336c5f8f3e563d72b8a22fecdcde0c (n8.0)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/97932677dbc29c1173f3361886022426ac74197e (n7.1.2)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/fa543b33f63478090137d124c20ff97f76251254 (n6.1.3)
@@ -24419,7 +24423,9 @@ CVE-2025-59732 (When decoding an OpenEXR file that uses DWAA or DWAB compression
 CVE-2025-59731 (When decoding an OpenEXR file that uses DWAA or DWAB compression, the  ...)
 	{DSA-6007-1 DSA-5985-1}
 	- ffmpeg 7:7.1.2-1
+	[bullseye] - ffmpeg <not-affected> (Vulnerable code introduced in version 4.4)
 	NOTE: https://issuetracker.google.com/issues/436510153
+	NOTE: Introduced in: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc85ca1cb347570a95d8615b7d4c7b542042b7f0 (n4.4)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/0d9c003d76383e82b57b6d5aa33776709d0cda2c (n8.0)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d7e188f33f638d85a1ab70943bde70359454b05c (n7.1.2)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/be682029ae18b80fa9b27f0715ca77323409379c (n6.1.3)
@@ -35616,11 +35622,12 @@ CVE-2025-10148 (curl's websocket code did not update the 32 bit mask pattern for
 CVE-2025-9994 (The Amp\u2019ed RF BT-AP 111 Bluetooth access point's HTTP admin inter ...)
 	NOT-FOR-US: Amped RF
 CVE-2025-9951 (A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows ...)
-	- ffmpeg <unfixed>
-	[trixie] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 7.1 branch)
-	[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
+	- ffmpeg 7:7.1.2-1
 	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 4.3 branch)
 	NOTE: https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg
+	NOTE: https://github.com/FFmpeg/FFmpeg/commit/01a292c7e36545ddeb3c7f79cd02e2611cd37d73 (n8.0)
+	NOTE: https://github.com/FFmpeg/FFmpeg/commit/d141e864f73152e94e0c45cc4abb8c329275c265 (n7.1.2)
+	NOTE: https://github.com/FFmpeg/FFmpeg/commit/1f03c050e4e37f96968d1ffa4d720ed20810fdf6 (n5.1.7)
 CVE-2025-9872 (Insufficient filename validation in Ivanti Endpoint Manager before 202 ...)
 	NOT-FOR-US: Ivanti
 CVE-2025-9712 (Insufficient filename validation in Ivanti Endpoint Manager before 202 ...)
@@ -101437,12 +101444,12 @@ CVE-2025-1595 (A vulnerability has been found in Anhui Xufan Information Technol
 CVE-2025-1594 (A vulnerability, which was classified as critical, was found in FFmpeg ...)
 	{DSA-6007-1}
 	- ffmpeg 7:7.1.2-1
-	[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
 	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed upstream)
 	NOTE: https://ffmpeg.org/pipermail/ffmpeg-devel/2025-February/339544.html
 	NOTE: https://trac.ffmpeg.org/ticket/11418
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c (n8.0)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c2184b65d214d60f2d3df86a11ca502567a3d134 (n7.1.2)
+	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/6023611ca735f448f87e49d1a110875dc8b454c5 (n5.1.8)
 CVE-2025-1412 (Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalid ...)
 	- mattermost-server <itp> (bug #823556)
 CVE-2024-55898 (IBM i 7.2, 7.3, 7.4, and 7.5 could allow a user with the capability to ...)
@@ -125350,8 +125357,8 @@ CVE-2024-36619 (FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the l
 CVE-2024-36618 (FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavforma ...)
 	{DLA-4039-1}
 	- ffmpeg 7:7.0.1-3
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857 (n7.0)
+	NOTE: https://github.com/ffmpeg/ffmpeg/commit/b7263cc4d434d10a557491bd5f05e8478ec0a497 (n5.1.8)
 CVE-2024-36617 (FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF  ...)
 	{DSA-5721-1 DSA-5712-1}
 	- ffmpeg 7:7.0.1-3


=====================================
data/DSA/list
=====================================
@@ -10,6 +10,7 @@
 	[bookworm] - chromium 143.0.7499.109-1~deb12u1
 	[trixie] - chromium 143.0.7499.109-1~deb13u1
 [10 Dec 2025] DSA-6079-1 ffmpeg - security update
+	{CVE-2024-36618 CVE-2025-1594}
 	[bookworm] - ffmpeg 7:5.1.8-0+deb12u1
 [10 Dec 2025] DSA-6078-1 firefox-esr - security update
 	{CVE-2025-14321 CVE-2025-14322 CVE-2025-14323 CVE-2025-14324 CVE-2025-14325 CVE-2025-14328 CVE-2025-14329 CVE-2025-14330 CVE-2025-14331 CVE-2025-14333}
@@ -279,7 +280,7 @@
 	{CVE-2025-21751 CVE-2025-22103 CVE-2025-22113 CVE-2025-22124 CVE-2025-22125 CVE-2025-23133 CVE-2025-38272 CVE-2025-38306 CVE-2025-38453 CVE-2025-38502 CVE-2025-38556 CVE-2025-38676 CVE-2025-38677 CVE-2025-38730 CVE-2025-38732 CVE-2025-38733 CVE-2025-38734 CVE-2025-38735 CVE-2025-38736 CVE-2025-38737 CVE-2025-39673 CVE-2025-39675 CVE-2025-39676 CVE-2025-39679 CVE-2025-39681 CVE-2025-39682 CVE-2025-39683 CVE-2025-39684 CVE-2025-39685 CVE-2025-39686 CVE-2025-39687 CVE-2025-39689 CVE-2025-39691 CVE-2025-39692 CVE-2025-39693 CVE-2025-39694 CVE-2025-39695 CVE-2025-39697 CVE-2025-39698 CVE-2025-39700 CVE-2025-39701 CVE-2025-39702 CVE-2025-39703 CVE-2025-39705 CVE-2025-39706 CVE-2025-39707 CVE-2025-39709 CVE-2025-39710 CVE-2025-39711 CVE-2025-39712 CVE-2025-39713 CVE-2025-39714 CVE-2025-39715 CVE-2025-39716 CVE-2025-39718 CVE-2025-39719 CVE-2025-39720 CVE-2025-39721 CVE-2025-39722 CVE-2025-39723 CVE-2025-39724 CVE-2025-39759 CVE-2025-39765 CVE-2025-39766 CVE-2025-39767 CVE-2025-39770 CVE-2025-39772 CVE-2025-39773 CVE-2025-39776 CVE-2025-39779 CVE-2025-39780 CVE-2025-39781 CVE-2025-39782 CVE-2025-39783 CVE-2025-39787 CVE-2025-39788 CVE-2025-39790 CVE-2025-39791 CVE-2025-39800 CVE-2025-39801 CVE-2025-39805 CVE-2025-39806 CVE-2025-39807 CVE-2025-39808 CVE-2025-39810 CVE-2025-39811 CVE-2025-39812 CVE-2025-39813 CVE-2025-39815 CVE-2025-39817 CVE-2025-39819 CVE-2025-39823 CVE-2025-39824 CVE-2025-39825 CVE-2025-39826 CVE-2025-39827 CVE-2025-39828 CVE-2025-39829 CVE-2025-39831 CVE-2025-39832 CVE-2025-39835 CVE-2025-39836 CVE-2025-39838 CVE-2025-39839 CVE-2025-39841 CVE-2025-39842 CVE-2025-39843 CVE-2025-39844 CVE-2025-39845 CVE-2025-39846 CVE-2025-39847 CVE-2025-39848 CVE-2025-39849 CVE-2025-39850 CVE-2025-39851 CVE-2025-39852 CVE-2025-39853 CVE-2025-39854 CVE-2025-39857 CVE-2025-39860 CVE-2025-39861 CVE-2025-39863 CVE-2025-39864 CVE-2025-39865 CVE-2025-39866 CVE-2025-40300}
 	[trixie] - linux 6.12.48-1
 [21 Sep 2025] DSA-6007-1 ffmpeg - security update
-	{CVE-2025-1594 CVE-2025-7700 CVE-2025-10256 CVE-2025-59731 CVE-2025-59732 CVE-2025-59733 CVE-2025-12343}
+	{CVE-2025-1594 CVE-2025-7700 CVE-2025-10256 CVE-2025-59731 CVE-2025-59732 CVE-2025-59733 CVE-2025-12343 CVE-2025-9951}
 	[trixie] - ffmpeg 7:7.1.2-0+deb13u1
 [19 Sep 2025] DSA-6006-1 jetty12 - security update
 	{CVE-2025-5115}
@@ -360,7 +361,7 @@
 	[bookworm] - node-cipher-base 1.0.4-6+deb12u1
 	[trixie] - node-cipher-base 1.0.4-6+deb13u1
 [25 Aug 2025] DSA-5985-1 ffmpeg - security update
-	{CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2024-31582 CVE-2024-35367 CVE-2024-35368 CVE-2025-0518 CVE-2025-7700 CVE-2025-22919 CVE-2023-6605 CVE-2023-6602 CVE-2023-6604 CVE-2023-6601 CVE-2025-59731 CVE-2025-59732 CVE-2025-59733}
+	{CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2024-31582 CVE-2024-35367 CVE-2024-35368 CVE-2025-0518 CVE-2025-7700 CVE-2025-22919 CVE-2023-6605 CVE-2023-6602 CVE-2023-6604 CVE-2023-6601 CVE-2025-59731 CVE-2025-59732 CVE-2025-59733 CVE-2025-9951}
 	[bookworm] - ffmpeg 7:5.1.7-0+deb12u1
 [24 Aug 2025] DSA-5984-1 thunderbird - security update
 	{CVE-2025-9179 CVE-2025-9180 CVE-2025-9181 CVE-2025-9185}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d84d89e0ba6d4cf1e0847c2e10c8886fff50cbe1...4a00cdb986591743e5579632fd677616f3fb9aac

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d84d89e0ba6d4cf1e0847c2e10c8886fff50cbe1...4a00cdb986591743e5579632fd677616f3fb9aac
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251217/cd63f990/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list