CLD-115 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
ffmpeg |
Deficiency Type |
SECURITY |
Date Created |
2017-10-25 10:23:59 |
Date Last Modified |
2017-10-27 11:03:56 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in ffmpeg-3.3.5-i686-1 |
Cucumber 1.0 x86_64 | fixed in ffmpeg-3.3.5-x86_64-1 and ffmpeg-lib_i686-3.3.5-lib_i686-1 |
Cucumber 1.1 i686 |
fixed in ffmpeg-3.3.5-i686-1 |
Cucumber 1.1 x86_64 |
fixed in ffmpeg-3.3.5-x86_64-1 and ffmpeg-lib_i686-3.3.5-lib_i686-1 |
Details:
Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to
cause a denial of service via a crafted AVI file
(https://nvd.nist.gov/vuln/detail/CVE-2017-15186).
Unfortunately, no other remotely useful infromation has been disclosed about
this vulnerability. As of Thu Oct 26 10:45:22 EDT 2017 Cucumber 1.0 and 1.1 are
both using ffmpeg 3.3.4, so we are pretty sure we are vulnerable, but
unfortunately there is no way to fix this vulnerability at this time.
Update (Fri Oct 27 10:23:47 EDT 2017): ffmpeg has has released a new version
(3.3.5) fixing this vulnerability. They were also so kind as to explicitly make
a note about this vulnerability on their security page at
https://ffmpeg.org/security.html, so there is now absolutely no doubt that it
has been fixed. Thanks guys!