ffmpeg - Debian Package Tracker

general

source: ffmpeg (main)
version: 7:8.1-3
maintainer: Debian Multimedia Maintainers (archive) (DMD)
uploaders: Reinhard Tartler [DMD] – Sebastian Ramacher [DMD] – James Cowgill [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7:4.3.7-0+deb11u1
o-o-sec: 7:4.3.9-0+deb11u2
o-o-p-u: 7:4.3.7-0+deb11u1
oldstable: 7:5.1.8-0+deb12u1
old-sec: 7:5.1.8-0+deb12u1
stable: 7:7.1.3-0+deb13u1
stable-sec: 7:7.1.3-0+deb13u1
testing: 7:8.1-3
unstable: 7:8.1-3

versioned links

7:4.3.7-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.3.9-0+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:5.1.8-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.3-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:8.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ffmpeg (19 bugs: 0, 14, 5, 0)
ffmpeg-doc
libavcodec-dev (1 bugs: 0, 0, 1, 0)
libavcodec-extra
libavcodec-extra62
libavcodec62
libavdevice-dev
libavdevice62
libavfilter-dev
libavfilter-extra
libavfilter-extra11
libavfilter11
libavformat-dev (1 bugs: 0, 1, 0, 0)
libavformat-extra
libavformat-extra62
libavformat62
libavutil-dev
libavutil60
libswresample-dev
libswresample6
libswscale-dev
libswscale9

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-6385: A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2026-30997: An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Created: 2026-04-15 Last update: 2026-04-18 10:01

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-6385: A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2026-30997: An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Created: 2026-04-15 Last update: 2026-04-18 10:01

lintian reports 5 errors and 9 warnings high

Lintian reports 5 errors and 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-21 Last update: 2026-03-21 09:31

4 bugs tagged patch in the BTS normal

The BTS contains patches fixing 4 bugs, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-04-27 00:00

Depends on packages which need a new maintainer normal

The packages that ffmpeg depends on which need a new maintainer are:

libiec61883 (#826285)
- Depends: libiec61883-0 libiec61883-0
- Build-Depends: libiec61883-dev

Created: 2019-11-22 Last update: 2026-04-26 23:01

6 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 5260145048d6642b066976097dfdf309c6cf8974
Merge: d6f36ef 0c70053
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Wed Mar 25 11:33:52 2026 +0100

    Merge branch 'hurd' into 'debian/master'
    
    Few Hurd build fixes/changes
    
    See merge request multimedia-team/ffmpeg!19

commit 0c7005341918fb6b19fc5e8eb8e3c1fe9807d5b3
Author: Pino Toscano <pino@debian.org>
Date:   Wed Mar 25 08:13:35 2026 +0100

    debian/control: Enable vulkan on any architecture
    
    The base vulkan stack (drivers excluded) is generally portable on many
    OSes, so enable vulkan on every architecture.
    
    Gbp-Dch: Short

commit 2aaef8eab7ff0658f837f14b2c31c3cc1edb37c3
Author: Pino Toscano <pino@debian.org>
Date:   Wed Mar 25 08:12:09 2026 +0100

    debian/: Enable libsmbclient also on hurd-i386
    
    samba has been available on hurd-i386 for quite some time, and the
    hurd-amd64 build of ffmpeg has always used samba.
    
    Gbp-Dch: Short

commit d6f36ef63ade6305e67f61eb09ed346a647de6fa
Merge: a324221 62fee62
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Mon Mar 23 16:26:21 2026 +0100

    Merge branch 'update-copyright' into 'debian/master'
    
    d/copyright: Update for added and moved files in ffmpeg 8.1
    
    See merge request multimedia-team/ffmpeg!18

commit 62fee622c7f76789c852c9539c1bdfecb4a57c32
Author: Diederik de Haas <didi.debian@cknow.org>
Date:   Mon Nov 24 12:22:35 2025 +0100

    d/copyright: Update for added and moved files in ffmpeg 8.1
    
    libavfilter:
    A .h file was renamed and a .c file added in upstream commit
    9b34088c4dfe ("avfilter/vf_fspp: Add DSPCtx, move DSP functions to file of their own")
    
    tests:
    A .c file was renamed in upstream commit
    4715b9bac22a ("tests/checkasm/llviddspenc: Rename to llvidencdsp")
    
    So update debian/copyright accordingly.
    
    Signed-off-by: Diederik de Haas <didi.debian@cknow.org>

commit a32422158cb93ea39440724688c2dc7f3d4fb35c
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Sat Mar 21 18:56:05 2026 +0100

    Fix typo

Created: 2026-03-21 Last update: 2026-04-22 03:30

4 low-priority security issues in trixie low

There are 4 open security issues in trixie.

4 issues left for the package maintainer to handle:

CVE-2026-6385: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2025-22921: (postponed; to be fixed through a stable update) FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.
CVE-2026-30997: (postponed; to be fixed through a stable update) An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2026-40962: (postponed; to be fixed through a stable update) FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-12-31 Last update: 2026-04-18 10:01

10 low-priority security issues in bookworm low

There are 10 open security issues in bookworm.

10 issues left for the package maintainer to handle:

CVE-2023-6601: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
CVE-2026-6385: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2023-49528: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via the af_dialoguenhance.c:261:5 in the de_stereo component.
CVE-2024-31578: (postponed; to be fixed through a stable update) FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function.
CVE-2024-35369: (postponed; to be fixed through a stable update) In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process.
CVE-2024-36615: (postponed; to be fixed through a stable update) FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
CVE-2025-10256: (postponed; to be fixed through a stable update) A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.
CVE-2025-22921: (postponed; to be fixed through a stable update) FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.
CVE-2026-30997: (postponed; to be fixed through a stable update) An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2026-40962: (postponed; to be fixed through a stable update) FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-04-12 Last update: 2026-04-18 10:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

news

[rss feed]

[2026-03-29] ffmpeg 7:8.1-3 MIGRATED to testing (Debian testing watch)
[2026-03-20] Accepted ffmpeg 7:8.1-3 (source) into unstable (Sebastian Ramacher)
[2026-03-20] Accepted ffmpeg 7:8.1-2 (source) into unstable (Sebastian Ramacher)
[2026-03-20] Accepted ffmpeg 7:8.1-1 (source) into unstable (Sebastian Ramacher)
[2026-01-16] Accepted ffmpeg 7:4.3.9-0+deb11u2 (source) into oldoldstable-security (Carlos Henrique Lima Melara)
[2026-01-03] Accepted ffmpeg 7:5.1.8-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-01-02] ffmpeg 7:8.0.1-3 MIGRATED to testing (Debian testing watch)
[2025-12-29] Accepted ffmpeg 7:8.0.1-3 (source) into unstable (Sebastian Ramacher)
[2025-12-20] Accepted ffmpeg 7:7.1.3-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-16] ffmpeg 7:8.0.1-2 MIGRATED to testing (Debian testing watch)
[2025-12-13] Accepted ffmpeg 7:8.0.1-2 (source) into unstable (Sebastian Ramacher)
[2025-12-10] Accepted ffmpeg 7:5.1.8-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-07] Accepted ffmpeg 7:7.1.3-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-02] ffmpeg 7:7.1.3-1 MIGRATED to testing (Debian testing watch)
[2025-11-30] Accepted ffmpeg 7:7.1.3-1 (source) into unstable (Sebastian Ramacher)
[2025-11-21] Accepted ffmpeg 7:8.0.1-1 (source) into experimental (Sebastian Ramacher)
[2025-11-12] Accepted ffmpeg 7:8.0-2 (source) into experimental (Sebastian Ramacher)
[2025-09-26] Accepted ffmpeg 7:7.1.2-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-09-23] ffmpeg 7:7.1.2-1 MIGRATED to testing (Debian testing watch)
[2025-09-21] Accepted ffmpeg 7:7.1.2-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-09-20] Accepted ffmpeg 7:7.1.2-1 (source) into unstable (Sebastian Ramacher)
[2025-09-12] Accepted ffmpeg 7:8.0-1 (all amd64 source) into experimental (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-08-26] Accepted ffmpeg 7:5.1.7-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-08-25] Accepted ffmpeg 7:5.1.7-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-07-14] Accepted ffmpeg 7:4.3.9-0+deb11u1 (source) into oldstable-security (Adrian Bunk)
[2025-03-11] ffmpeg 7:7.1.1-1 MIGRATED to testing (Debian testing watch)
[2025-03-08] Accepted ffmpeg 7:7.1.1-1 (source) into unstable (Sebastian Ramacher)
[2025-02-28] Accepted ffmpeg 7:4.3.8-0+deb11u3 (source) into oldstable-security (Thorsten Alteholz)
[2025-02-24] ffmpeg 7:7.1-4 MIGRATED to testing (Debian testing watch)
[2025-02-21] Accepted ffmpeg 7:7.1-4 (source) into unstable (Sebastian Ramacher)

bugs [bug history graph]

all: 26 27
RC: 0
I&N: 19
M&W: 7 8
F&P: 0
patch: 4

links

homepage
lintian (5, 9)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7:8.0.1-3ubuntu2
12 bugs
patches for 7:8.0.1-3ubuntu2