CLD-431 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-12460 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) ffmpeg
Deficiency Type SECURITY
Date Created 2018-06-15 13:40:08
Date Last Modified 2018-06-15 16:24:36

Version Specific Information:

Cucumber 1.0 i686waiting for upstream to publish patch
Cucumber 1.0 x86_64waiting for upstream to publish patch

Cucumber 1.1 i686 waiting for upstream to publish patch
Cucumber 1.1 x86_64 waiting for upstream to publish patch

Details:

Fixed in commit
https://github.com/FFmpeg/FFmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d.

This vulnerability was fixed by changing the condition in the if statement that
determined if 'c->idct_put' was set to 'ff_simple_idct_put_int32_10bit' or
'ff_simple_idct_put_int16_10bit'. In ffmpeg 3.3, this variable is
unconditionally set to 'ff_simple_idct_put_10', so it is unclear if this
version is even vulnerable in the first place. If it is, this patch is not
easily backportable.

We will wait to see what upstream does.