ffmpeg - Debian Package Tracker

general

source: ffmpeg (main)
version: 7:7.1-3
maintainer: Debian Multimedia Maintainers (archive) (DMD)
uploaders: Reinhard Tartler [DMD] – James Cowgill [DMD] – Balint Reczey [DMD] – Sebastian Ramacher [DMD]
arch: all any
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7:4.1.9-0+deb10u1
o-o-sec: 7:4.1.11-0+deb10u1
oldstable: 7:4.3.7-0+deb11u1
old-sec: 7:4.3.8-0+deb11u2
old-p-u: 7:4.3.7-0+deb11u1
stable: 7:5.1.6-0+deb12u1
stable-sec: 7:5.1.6-0+deb12u1
testing: 7:7.1-3
unstable: 7:7.1-3

versioned links

7:4.1.9-0+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.1.11-0+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.3.7-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.3.8-0+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:5.1.6-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ffmpeg (18 bugs: 0, 13, 5, 0)
ffmpeg-doc
libavcodec-dev (1 bugs: 0, 0, 1, 0)
libavcodec-extra
libavcodec-extra61
libavcodec61
libavdevice-dev
libavdevice61
libavfilter-dev
libavfilter-extra
libavfilter-extra10
libavfilter10
libavformat-dev (1 bugs: 0, 1, 0, 0)
libavformat-extra
libavformat-extra61
libavformat61
libavutil-dev
libavutil59
libpostproc-dev
libpostproc58
libswresample-dev
libswresample5
libswscale-dev
libswscale8

action needed

7 security issues in trixie high

There are 7 open security issues in trixie.

7 important issues:

CVE-2023-6601: A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
CVE-2023-6602: A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists.
CVE-2023-6603: A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.
CVE-2023-6604: A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.
CVE-2023-6605: A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
CVE-2025-0518: Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosman
CVE-2025-25473: FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c.

Created: 2024-12-31 Last update: 2025-02-19 18:31

7 security issues in sid high

There are 7 open security issues in sid.

7 important issues:

CVE-2023-6601: A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
CVE-2023-6602: A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists.
CVE-2023-6603: A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.
CVE-2023-6604: A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.
CVE-2023-6605: A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
CVE-2025-0518: Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosman
CVE-2025-25473: FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c.

Created: 2024-12-31 Last update: 2025-02-19 18:31

11 security issues in bullseye high

There are 11 open security issues in bullseye.

11 important issues:

CVE-2023-6601: A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
CVE-2023-6602: A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists.
CVE-2023-6603: A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.
CVE-2023-6604: A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.
CVE-2023-6605: A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
CVE-2025-0518: Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosman
CVE-2024-35366: FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking.
CVE-2024-36615: FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
CVE-2024-36616: An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file.
CVE-2024-36617: FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder.
CVE-2025-25473: FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c.

Created: 2024-11-29 Last update: 2025-02-19 18:31

lintian reports 6 errors and 9 warnings high

Lintian reports 6 errors and 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-10-28 Last update: 2024-12-28 15:01

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-02-21 11:30

Depends on packages which need a new maintainer normal

The packages that ffmpeg depends on which need a new maintainer are:

libbs2b (#1007187)
- Depends: libbs2b0 libbs2b0
- Build-Depends: libbs2b-dev
libiec61883 (#826285)
- Depends: libiec61883-0
- Build-Depends: libiec61883-dev

Created: 2019-11-22 Last update: 2025-02-21 09:31

2 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 36a9052343ea822f76969e8b40577a341089df4d
Merge: c3a756b c14992c
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Thu Feb 13 14:44:27 2025 +0000

    Merge branch 'bootstrap-v5' into 'debian/master'
    
    Move build-dependency from libjs-bootstrap to libjs-bootstrap5
    
    See merge request multimedia-team/ffmpeg!13

commit c14992c4d2bc7c70641fd6361d30386abb9be7f4
Author: Santiago Ruano Rincón <santiagorr@riseup.net>
Date:   Wed Feb 12 21:38:25 2025 -0300

    Move build-dependency from libjs-bootstrap to libjs-bootstrap5
    
    bootstrap 3 (src:twitter-bootstrap3) has been EOL'ed by upstream, and
    there are security issues complex to solve (CVE-2024-6484 and
    CVE-2024-6485). With this change, debci moves to the maintained
    bootstrap v5.
    
    Closes: #1088454

Created: 2025-02-13 Last update: 2025-02-13 16:02

19 low-priority security issues in bookworm low

There are 19 open security issues in bookworm.

19 issues left for the package maintainer to handle:

CVE-2023-6601: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
CVE-2023-6602: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists.
CVE-2023-6603: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.
CVE-2023-6604: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.
CVE-2023-6605: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
CVE-2025-0518: (postponed; to be fixed through a stable update) Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosman
CVE-2023-49502: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_bwdif_filter_intra_c function in the libavfilter/bwdifdsp.c:125:5 component.
CVE-2023-49528: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via the af_dialoguenhance.c:261:5 in the de_stereo component.
CVE-2023-50007: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via theav_samples_set_silence function in thelibavutil/samplefmt.c:260:9 component.
CVE-2023-50008: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the av_malloc function in libavutil/mem.c:105:9 component.
CVE-2024-31578: (postponed; to be fixed through a stable update) FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function.
CVE-2024-31582: (postponed; to be fixed through a stable update) FFmpeg version n6.1 was discovered to contain a heap buffer overflow vulnerability in the draw_block_rectangle function of libavfilter/vf_codecview.c. This vulnerability allows attackers to cause undefined behavior or a Denial of Service (DoS) via crafted input.
CVE-2024-32228: (postponed; to be fixed through a stable update) FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV at libavcodec/hevcdec.c:2947:22 in hevc_frame_end.
CVE-2024-35367: (postponed; to be fixed through a stable update) FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer
CVE-2024-35368: (postponed; to be fixed through a stable update) FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c.
CVE-2024-35369: (postponed; to be fixed through a stable update) In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process.
CVE-2024-36615: (postponed; to be fixed through a stable update) FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
CVE-2024-36618: (postponed; to be fixed through a stable update) FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition.
CVE-2025-25473: (postponed; to be fixed through a stable update) FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-04-12 Last update: 2025-02-19 18:31

debian/patches: 15 patches to forward upstream low

Among the 15 debian patches available in version 7:7.1-3 of the package, we noticed the following issues:

15 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-08-10 Last update: 2024-10-28 09:32

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2024-06-09 Last update: 2024-07-29 04:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.1 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-02-21 04:27

testing migrations

This package will soon be part of the auto-libxml2 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-jpeg-xl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2025-02-21] Accepted ffmpeg 7:7.1-4 (source) into unstable (Sebastian Ramacher)
[2025-01-31] Accepted ffmpeg 7:4.3.8-0+deb11u2 (source) into oldstable-security (Thorsten Alteholz)
[2024-10-31] ffmpeg 7:7.1-3 MIGRATED to testing (Debian testing watch)
[2024-10-27] Accepted ffmpeg 7:7.1-3 (source) into unstable (Sebastian Ramacher)
[2024-10-21] Accepted ffmpeg 7:4.3.8-0+deb11u1 (source) into oldstable-security (Emilio Pozuelo Monfort)
[2024-10-20] Accepted ffmpeg 7:7.1-2 (source) into experimental (Sebastian Ramacher)
[2024-10-20] Accepted ffmpeg 7:7.1-1 (source) into experimental (Sebastian Ramacher)
[2024-08-16] ffmpeg 7:7.0.2-3 MIGRATED to testing (Debian testing watch)
[2024-08-14] Accepted ffmpeg 7:5.1.6-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2024-08-14] Accepted ffmpeg 7:5.1.6-0+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2024-08-13] Accepted ffmpeg 7:7.0.2-3 (source) into unstable (Sebastian Ramacher)
[2024-08-13] ffmpeg 7:7.0.2-2 MIGRATED to testing (Debian testing watch)
[2024-08-10] Accepted ffmpeg 7:7.0.2-2 (source) into unstable (Sebastian Ramacher)
[2024-08-10] ffmpeg 7:7.0.2-1 MIGRATED to testing (Debian testing watch)
[2024-08-04] ffmpeg 7:7.0.1-5 MIGRATED to testing (Debian testing watch)
[2024-08-03] Accepted ffmpeg 7:7.0.2-1 (source) into unstable (Sebastian Ramacher)
[2024-07-30] Accepted ffmpeg 7:7.0.1-5 (source) into unstable (Sebastian Ramacher)
[2024-07-28] Accepted ffmpeg 7:7.0.1-4 (source) into unstable (Sebastian Ramacher)
[2024-07-28] Accepted ffmpeg 7:7.0.1-3 (source) into unstable (Sebastian Ramacher)
[2024-07-26] ffmpeg 7:6.1.1-5 MIGRATED to testing (Debian testing watch)
[2024-07-08] Accepted ffmpeg 7:7.0.1-2 (source) into experimental (Sebastian Ramacher)
[2024-07-08] Accepted ffmpeg 7:6.1.1-5 (source) into unstable (Sebastian Ramacher)
[2024-06-29] Accepted ffmpeg 7:4.3.7-0+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2024-06-26] Accepted ffmpeg 7:4.3.7-0+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2024-06-16] Accepted ffmpeg 7:5.1.5-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2024-06-15] Accepted ffmpeg 7:5.1.5-0+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2024-05-31] Accepted ffmpeg 7:7.0.1-1 (source) into experimental (Sebastian Ramacher)
[2024-05-02] ffmpeg 7:6.1.1-4 MIGRATED to testing (Debian testing watch)
[2024-04-20] Accepted ffmpeg 7:6.1.1-4 (source) into unstable (Sebastian Ramacher)
[2024-04-07] Accepted ffmpeg 7:7.0-1 (all amd64 source) into experimental (Debian FTP Masters) (signed by: Sebastian Ramacher)

bugs [bug history graph]

all: 25 26
RC: 0
I&N: 17
M&W: 7 8
F&P: 1
patch: 1

links

homepage
lintian (6, 9)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7:7.1-3ubuntu3
11 bugs
patches for 7:7.1-3ubuntu3