Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 634748 (CVE-2017-9990, CVE-2017-9995)

Summary: <media-video/ffmpeg-3.3.1: Multiple vulnerability
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-19 03:51:20 UTC 
CVE-2017-9995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9995):
  libavcodec/scpr.c in FFmpeg 3.3 before 3.3.1 does not properly validate
  height and width data, which allows remote attackers to cause a denial of
  service (heap-based buffer overflow and application crash) or possibly have
  unspecified other impact via a crafted file.

CVE-2017-9990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9990):
  Stack-based buffer overflow in the color_string_to_rgba function in
  libavcodec/xpmdec.c in FFmpeg 3.3 before 3.3.1 allows remote attackers to
  cause a denial of service (application crash) or possibly have unspecified
  other impact via a crafted file.


@Maintainers we have older versions, could you please confirm if those are vulnerable?

Thanks
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-10-26 00:46:41 UTC 
GLSA Vote: No

Cleanup handled in bug #630460