More information about this security flaw is available in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=2346414 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
This is fixed in 7.1.2 and later.
Actually fixed in 8.0: https://github.com/FFmpeg/FFmpeg/commit/c08d300481b8ebb846cd43a473988fdbc6793d1b and backported to 7.1.3: https://github.com/FFmpeg/FFmpeg/commit/baee5f5e2751b61572abe23a8f8a0042d27c89e6 Although, to me it's dubious that it made sense to backport the fix to older branches when the code calls ff_flush_packet_queue(s) a few lines later unconditionally (unlike in 8.0+). Opened upstream issue: https://code.ffmpeg.org/FFmpeg/FFmpeg/issues/23201 I'm going to close this because it looks like <8.0 is not affected.