CLD-138 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-16840 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) ffmpeg
Deficiency Type SECURITY
Date Created 2017-11-21 08:42:39
Date Last Modified 2017-11-21 09:21:18

Version Specific Information:

Cucumber 1.0 i686fixed in ffmpeg-3.3.5-i686-2
Cucumber 1.0 x86_64fixed in ffmpeg-3.3.5-x86_64-2 and ffmpeg-lib_i686-3.3.5-lib_i686-2

Cucumber 1.1 i686 fixed in ffmpeg-3.3.5-i686-2
Cucumber 1.1 x86_64 fixed in ffmpeg-3.3.5-x86_64-2 and ffmpeg-lib_i686-3.3.5-lib_i686-2

Details:

The VC-2 Video Compression encoder in FFmpeg 3.4 allows remote attackers to
cause a denial of service (out-of-bounds read) because of incorrect buffer
padding for non-Haar wavelets, related to libavcodec/vc2enc.c and
libavcodec/vc2enc_dwt.c (https://nvd.nist.gov/vuln/detail/CVE-2017-16840).

Due to the nature of this vulnerability (and all buffer overread
vulnerabilities) we cannot rule out the possibliity of unintended information
disclosure.

It appears that FFmpeg 3.3.5 (the version is use on Cucumber 1.0 and 1.1) is
also vulnerable to this. The affected code from FFmpeg 3.4 is also present in
FFmpet 3.3.5.

This vulnerability has been patched by applying the patch listed on the NVD
page. It works against FFmpeg 3.3.5 without difficulty. Patch URL:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74;hp=587fadaef1e8163b3e56043e500a3724e7fc5379