CVE-2023-49502: 
Ffmpeg vulnerability analysis and mitigation

CVE-2023-49502 is a Buffer Overflow vulnerability discovered in FFmpeg version n6.1-3-g466799d4f5. The vulnerability affects the ffbwdiffilterintrac function in the libavfilter/bwdifdsp.c:125:5 component, allowing a local attacker to execute arbitrary code (NVD, CVE). The issue was discovered by Zeng Yunxiang and Song Jiaxuan from HUST (FFmpeg Ticket).

The vulnerability is a heap-buffer-overflow that occurs in the ffbwdiffilterintrac function when processing video frames with specific dimensions. The issue can be reproduced with YUV420p input with a height of 6 or lower, where after chroma subsampling the height of the chroma planes becomes less than 4. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow an attacker to execute arbitrary code through specially crafted input files. The buffer overflow condition could lead to system crashes resulting in denial of service, or potentially allow for code execution with the privileges of the FFmpeg process (Ubuntu Security).

The vulnerability has been fixed in FFmpeg through commit 737ede405b11a37fdd61d19cf25df296a0cb0b75. Various Linux distributions have released patched versions including Ubuntu 18.04 LTS through 24.04 LTS, and Fedora 38 through 40. Users are advised to update to the latest version of FFmpeg or apply the available security patches (Ubuntu Security, Debian Tracker).