ffmpeg - Debian Package Tracker

general

source: ffmpeg (main)
version: 7:8.1-3
maintainer: Debian Multimedia Maintainers (archive) (DMD)
uploaders: Reinhard Tartler [DMD] – Sebastian Ramacher [DMD] – James Cowgill [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7:4.3.7-0+deb11u1
o-o-sec: 7:4.3.9-0+deb11u2
o-o-p-u: 7:4.3.7-0+deb11u1
oldstable: 7:5.1.8-0+deb12u1
old-sec: 7:5.1.8-0+deb12u1
stable: 7:7.1.3-0+deb13u1
stable-sec: 7:7.1.3-0+deb13u1
testing: 7:8.0.1-3
unstable: 7:8.1-3

versioned links

7:4.3.7-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.3.9-0+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:5.1.8-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.3-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:8.0.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:8.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ffmpeg (19 bugs: 0, 14, 5, 0)
ffmpeg-doc
libavcodec-dev (1 bugs: 0, 0, 1, 0)
libavcodec-extra
libavcodec-extra62
libavcodec62
libavdevice-dev
libavdevice62
libavfilter-dev
libavfilter-extra
libavfilter-extra11
libavfilter11
libavformat-dev (1 bugs: 0, 1, 0, 0)
libavformat-extra
libavformat-extra62
libavformat62
libavutil-dev
libavutil60
libswresample-dev
libswresample6
libswscale-dev
libswscale9

action needed

lintian reports 5 errors and 9 warnings high

Lintian reports 5 errors and 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-21 Last update: 2026-03-21 09:31

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-69693: Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.

Created: 2026-03-17 Last update: 2026-03-21 07:00

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2026-03-22 06:30

Depends on packages which need a new maintainer normal

The packages that ffmpeg depends on which need a new maintainer are:

libiec61883 (#826285)
- Depends: libiec61883-0 libiec61883-0
- Build-Depends: libiec61883-dev

Created: 2019-11-22 Last update: 2026-03-22 05:31

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit a32422158cb93ea39440724688c2dc7f3d4fb35c
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Sat Mar 21 18:56:05 2026 +0100

    Fix typo

Created: 2026-03-21 Last update: 2026-03-21 20:02

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2025-22921: (postponed; to be fixed through a stable update) FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.

You can find information about how to handle this issue in the security team's documentation.

Created: 2024-12-31 Last update: 2026-03-21 07:00

7 low-priority security issues in bookworm low

There are 7 open security issues in bookworm.

7 issues left for the package maintainer to handle:

CVE-2023-6601: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
CVE-2023-49528: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via the af_dialoguenhance.c:261:5 in the de_stereo component.
CVE-2024-31578: (postponed; to be fixed through a stable update) FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function.
CVE-2024-35369: (postponed; to be fixed through a stable update) In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process.
CVE-2024-36615: (postponed; to be fixed through a stable update) FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
CVE-2025-10256: (postponed; to be fixed through a stable update) A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.
CVE-2025-22921: (postponed; to be fixed through a stable update) FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-04-12 Last update: 2026-03-21 07:00

testing migrations

This package is part of the ongoing testing transition known as auto-svt-av1. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migrates after: svt-av1
- Migration status for ffmpeg (7:8.0.1-3 to 7:8.1-3): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for ffmpeg/7:8.1-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for liquidsoap/2.4.2-1: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Reference test triggered, but real test failed already ♻, s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for python-av/16.1.0+ds-3: amd64: Pass, arm64: Regression ♻ (reference ♻), i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for python-pyvista/0.46.5-8: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for qtox/1.18.3-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for winff/1.6.4+dfsg-5: amd64: Regression ♻ (reference ♻), arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Regression ♻ (reference ♻)
- ∙ ∙ Lintian check waiting for test results on riscv64 - info
- ∙ ∙ Too young, only 1 of 5 days old
- ∙ ∙ Depends: ffmpeg svt-av1
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/f/ffmpeg.html
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproducibility check waiting for results on arm64
- ∙ ∙ Reproduced on armhf
- ∙ ∙ Reproduced on i386
- ∙ ∙ Reproducibility check waiting for results on ppc64el
- Not considered

news

[rss feed]

[2026-03-20] Accepted ffmpeg 7:8.1-3 (source) into unstable (Sebastian Ramacher)
[2026-03-20] Accepted ffmpeg 7:8.1-2 (source) into unstable (Sebastian Ramacher)
[2026-03-20] Accepted ffmpeg 7:8.1-1 (source) into unstable (Sebastian Ramacher)
[2026-01-16] Accepted ffmpeg 7:4.3.9-0+deb11u2 (source) into oldoldstable-security (Carlos Henrique Lima Melara)
[2026-01-03] Accepted ffmpeg 7:5.1.8-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-01-02] ffmpeg 7:8.0.1-3 MIGRATED to testing (Debian testing watch)
[2025-12-29] Accepted ffmpeg 7:8.0.1-3 (source) into unstable (Sebastian Ramacher)
[2025-12-20] Accepted ffmpeg 7:7.1.3-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-16] ffmpeg 7:8.0.1-2 MIGRATED to testing (Debian testing watch)
[2025-12-13] Accepted ffmpeg 7:8.0.1-2 (source) into unstable (Sebastian Ramacher)
[2025-12-10] Accepted ffmpeg 7:5.1.8-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-07] Accepted ffmpeg 7:7.1.3-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-02] ffmpeg 7:7.1.3-1 MIGRATED to testing (Debian testing watch)
[2025-11-30] Accepted ffmpeg 7:7.1.3-1 (source) into unstable (Sebastian Ramacher)
[2025-11-21] Accepted ffmpeg 7:8.0.1-1 (source) into experimental (Sebastian Ramacher)
[2025-11-12] Accepted ffmpeg 7:8.0-2 (source) into experimental (Sebastian Ramacher)
[2025-09-26] Accepted ffmpeg 7:7.1.2-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-09-23] ffmpeg 7:7.1.2-1 MIGRATED to testing (Debian testing watch)
[2025-09-21] Accepted ffmpeg 7:7.1.2-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-09-20] Accepted ffmpeg 7:7.1.2-1 (source) into unstable (Sebastian Ramacher)
[2025-09-12] Accepted ffmpeg 7:8.0-1 (all amd64 source) into experimental (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-08-26] Accepted ffmpeg 7:5.1.7-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-08-25] Accepted ffmpeg 7:5.1.7-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-07-14] Accepted ffmpeg 7:4.3.9-0+deb11u1 (source) into oldstable-security (Adrian Bunk)
[2025-03-11] ffmpeg 7:7.1.1-1 MIGRATED to testing (Debian testing watch)
[2025-03-08] Accepted ffmpeg 7:7.1.1-1 (source) into unstable (Sebastian Ramacher)
[2025-02-28] Accepted ffmpeg 7:4.3.8-0+deb11u3 (source) into oldstable-security (Thorsten Alteholz)
[2025-02-24] ffmpeg 7:7.1-4 MIGRATED to testing (Debian testing watch)
[2025-02-21] Accepted ffmpeg 7:7.1-4 (source) into unstable (Sebastian Ramacher)
[2025-01-31] Accepted ffmpeg 7:4.3.8-0+deb11u2 (source) into oldstable-security (Thorsten Alteholz)

bugs [bug history graph]

all: 26 27
RC: 0
I&N: 19
M&W: 7 8
F&P: 0
patch: 3

links

homepage
lintian (5, 9)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7:8.0.1-3ubuntu2
12 bugs
patches for 7:8.0.1-3ubuntu2