CVE-2024-7055

NameCVE-2024-7055
DescriptionA vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3928-1, DSA-5748-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ffmpeg (PTS)bullseye7:4.3.7-0+deb11u1vulnerable
bullseye (security)7:4.3.8-0+deb11u1fixed
bookworm, bookworm (security)7:5.1.6-0+deb12u1fixed
sid, trixie7:7.1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ffmpegsourcebullseye7:4.3.8-0+deb11u1DLA-3928-1
ffmpegsourcebookworm7:5.1.6-0+deb12u1DSA-5748-1
ffmpegsource(unstable)7:7.0.2-1

Notes

https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3faadbe2a27e74ff5bb5f7904ec27bb1f5287dc8 (master)
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=587acd0d4020859e67d1f07aeff2c885797ebcce (n7.0.2)
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5372bfe01e4a04357ab4465c1426cf8c6412dfd5 (n5.1.6)

Search for package or bug name: Reporting problems