Jfrog discovered vulnerability in Ffmpeg.
Detection
To detect if your system includes the vulnerable MagicYUV decoder, run:
ffmpeg -decoders 2>/dev/null | grep magicyuv
If the output includes VFS..D magicyuv, your FFmpeg build is vulnerable. The MagicYUV decoder is enabled by default in every upstream FFmpeg build and every distribution package we tested (Ubuntu, Debian, Fedora, Arch, Alpine) before version 9.0.
Workarounds
If upgrading FFmpeg is not immediately possible:
Option 1 – Rebuild FFmpeg with the vulnerable decoder disabled:
./configure --disable-decoder=magicyuv [your other flags]<
make && make install
