Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692418 (CVE-2019-12730)

Summary: <media-video/ffmpeg-{3.2.14,4.1.4: multiple vulnerabilities
Product: Gentoo Security Reporter: Teika kazura <teika>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: jstein, media-video, nobrowser
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 711144    
Bug Blocks:    

Description Teika kazura 2019-08-18 07:05:39 UTC 
aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x before 4.1.4 does not check for sscanf failure and consequently allows use of uninitialized variables.

See e.g. https://security-tracker.debian.org/tracker/CVE-2019-12730, https://nvd.nist.gov/vuln/detail/CVE-2019-12730.

Impact: Critical (cvss v3.0) / high (cvss v2.0)

Best regards.
Comment 1 Teika kazura 2020-01-23 07:23:50 UTC 
*ping*
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2020-03-20 05:21:18 UTC 
This should of been stable, resetting it with depends on 711144 which is undergoing stabilization.

Added to an existing GLSA Request.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-03-30 15:07:11 UTC 
This issue was resolved and addressed in
 GLSA 202003-65 at https://security.gentoo.org/glsa/202003-65
by GLSA coordinator Thomas Deutschmann (whissi).