DSA-3957-1 ffmpeg -- ffmpeg
|ID: oval:org.secpod.oval:def:603081||Date: (C)2017-09-05 (M)2018-03-28|
|Class: PATCH||Family: unix|
Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. These issues could lead to Denial-of-Service and, in some situation, the execution of arbitrary code. CVE-2017-9608 Yihan Lian of Qihoo 360 GearTeam discovered a NULL pointer access when parsing a crafted MOV file. CVE-2017-9993 Thierry Foucu discovered that it was possible to leak information from files and symlinks ending in common multimedia extensions, using the HTTP Live Streaming. CVE-2017-11399 Liu Bingchang of IIE discovered an integer overflow in the APE decoder that can be triggered by a crafted APE file. CVE-2017-11665 JunDong Xie of Ant-financial Light-Year Security Lab discovered that an attacker able to craft a RTMP stream can crash FFmpeg. CVE-2017-11719 Liu Bingchang of IIE discovered an out-of-bound access that can be triggered by a crafted DNxHD file.