CVE-2022-38850: 
Linux Debian vulnerability analysis and mitigation

The MPlayer Project mencoder SVN-r38374-13.0.1 was identified with a Divide By Zero vulnerability in the config() function of llibmpcodecs/vf_scale.c. The vulnerability was discovered in August 2022 and was assigned CVE-2022-38850. This security flaw affects various versions of MPlayer, including those distributed in major Linux distributions like Debian and Ubuntu (Debian LTS, Ubuntu Security).

The vulnerability manifests as a division by zero condition in the config() function within the llibmpcodecs/vf_scale.c file. The issue occurs during video scaling operations when processing certain video files. The vulnerability has been assigned a CVSS 3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability requires local access and user interaction to be exploited (Ubuntu Security).

The vulnerability can lead to a denial of service condition through application crashes when processing specially crafted video files. The CVSS scoring indicates that while there is no impact on confidentiality or integrity, there is a high impact on availability. The vulnerability affects the mencoder component, which is a key part of the MPlayer Project used for video encoding (MPlayer Ticket).

The vulnerability was fixed in MPlayer revision r38390. Various Linux distributions have released patched versions: Ubuntu 22.04 LTS (version 2:1.4+ds1-3ubuntu0.1), Ubuntu 20.04 LTS (version 2:1.3.0-8+deb10u1build0.20.04.1), and Debian 10 (version 2:1.3.0-8+deb10u1). Users are recommended to upgrade to these patched versions (Debian LTS, Ubuntu Security).