CLD-138 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
ffmpeg |
Deficiency Type |
SECURITY |
Date Created |
2017-11-21 08:42:39 |
Date Last Modified |
2017-11-21 09:21:18 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in ffmpeg-3.3.5-i686-2 |
Cucumber 1.0 x86_64 | fixed in ffmpeg-3.3.5-x86_64-2 and ffmpeg-lib_i686-3.3.5-lib_i686-2 |
Cucumber 1.1 i686 |
fixed in ffmpeg-3.3.5-i686-2 |
Cucumber 1.1 x86_64 |
fixed in ffmpeg-3.3.5-x86_64-2 and ffmpeg-lib_i686-3.3.5-lib_i686-2 |
Details:
The VC-2 Video Compression encoder in FFmpeg 3.4 allows remote attackers to
cause a denial of service (out-of-bounds read) because of incorrect buffer
padding for non-Haar wavelets, related to libavcodec/vc2enc.c and
libavcodec/vc2enc_dwt.c (https://nvd.nist.gov/vuln/detail/CVE-2017-16840).
Due to the nature of this vulnerability (and all buffer overread
vulnerabilities) we cannot rule out the possibliity of unintended information
disclosure.
It appears that FFmpeg 3.3.5 (the version is use on Cucumber 1.0 and 1.1) is
also vulnerable to this. The affected code from FFmpeg 3.4 is also present in
FFmpet 3.3.5.
This vulnerability has been patched by applying the patch listed on the NVD
page. It works against FFmpeg 3.3.5 without difficulty. Patch URL:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74;hp=587fadaef1e8163b3e56043e500a3724e7fc5379