CLD-253 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-6392 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) ffmpeg
Deficiency Type SECURITY
Date Created 2018-01-29 17:17:27
Date Last Modified 2018-04-23 14:01:25

Version Specific Information:

Cucumber 1.0 i686fixed in ffmpeg-3.3.7-i686-1
Cucumber 1.0 x86_64fixed in ffmpeg-3.3.7-x86_64-1 and ffmpeg-lib_i686-3.3.7-lib_i686-1

Cucumber 1.1 i686 fixed in ffmpeg-3.3.7-i686-1
Cucumber 1.1 x86_64 fixed in ffmpeg-3.3.7-x86_64-1 and ffmpeg-lib_i686-3.3.7-lib_i686-1


=================================== Overview ===================================

The filter_slice function in libavfilter/vf_transpose.c in FFmpeg through 3.4.1
allows remote attackers to cause a denial of service (out-of-array access) via
a crafted MP4 file.

================================ Initial Report ================================


================================= Our Analysis =================================

----- Affected Products -----
This vulnerability affects all versions of ffmpeg that have not had BOTH of the
following patches applied:
This includes ffmpeg 3.3.6 (the version used in Cucumber Linux 1.0 and 1.1).
Therefore, ffmpeg as originally packaged in Cucumber Linux 1.0 and 1.1 is
vulnerable to this. Unfortunately, the aforementioned patches are written for
ffmpeg 3.4, not 3.3, and they are not backportable, so we will have to wait for
the upstream developers to publish a proper patch for 3.3.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying BOTH of the following patches:

================================= Our Solution =================================

We are waiting for the upstream developers to publish a patch.