search

hendriks73 / ffsampledsp

FFmpeg based service provider for javax.sound.sampled.
GNU Lesser General Public License v2.1
24 stars 5 forks source link

Potential security vulnerability in the FFmpeg library. #14

Closed HelenParr closed 1 year ago

HelenParr commented 2 years ago

Hi, @hendriks73 , @jonashartwig , I'd like to report a vulnerability issue in com.tagtraum:ffsampledsp-complete:0.9.45.

Issue Description

com.tagtraum:ffsampledsp-complete:0.9.45 directly depends on 1 C libraries (.so). However, I noticed that this C library is vulnerable, containing the following CVEs:

ffsampledsp-x86_64-unix.sofrom C project ffmpeg(version:4.0.3) exposed 1 vulnerabilities: CVE-2019-11339

Suggested Vulnerability Patch Versions

ffmpeg has fixed the vulnerabilities in versions >=4.4.1

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

hendriks73 commented 2 years ago

Hey @HelenParr ,

I appreciate the heads up! May I ask, how you came across this and decided to raise this issue with FFSampledSP?

Cheers,

-hendrik

PS: It looks like updating FFmpeg to 4.0.4 (instead of 4.4.1) also fixes this issue. Right?