CLD-115 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-15186 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) ffmpeg
Deficiency Type SECURITY
Date Created 2017-10-25 10:23:59
Date Last Modified 2017-10-27 11:03:56

Version Specific Information:

Cucumber 1.0 i686 fixed in ffmpeg-3.3.5-i686-1
Cucumber 1.0 x86_64 fixed in ffmpeg-3.3.5-x86_64-1 and ffmpeg-lib_i686-3.3.5-lib_i686-1

Cucumber 1.1 i686 fixed in ffmpeg-3.3.5-i686-1
Cucumber 1.1 x86_64 fixed in ffmpeg-3.3.5-x86_64-1 and ffmpeg-lib_i686-3.3.5-lib_i686-1

Details:

Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to
cause a denial of service via a crafted AVI file
(https://nvd.nist.gov/vuln/detail/CVE-2017-15186).

Unfortunately, no other remotely useful infromation has been disclosed about
this vulnerability. As of Thu Oct 26 10:45:22 EDT 2017 Cucumber 1.0 and 1.1 are
both using ffmpeg 3.3.4, so we are pretty sure we are vulnerable, but
unfortunately there is no way to fix this vulnerability at this time.

Update (Fri Oct 27 10:23:47 EDT 2017): ffmpeg has has released a new version
(3.3.5) fixing this vulnerability. They were also so kind as to explicitly make
a note about this vulnerability on their security page at
https://ffmpeg.org/security.html, so there is now absolutely no doubt that it
has been fixed. Thanks guys!