Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 632134 (CVE-2017-14767) - <media-video/ffmpeg-3.3.4: mishandled empty sprop-parameter-sets values cause denial of service
Summary: <media-video/ffmpeg-3.3.4: mishandled empty sprop-parameter-sets values cause...
Status: RESOLVED FIXED
Alias: CVE-2017-14767
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-14225
Blocks:
  Show dependency tree
 
Reported: 2017-09-27 11:34 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-10-26 00:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-09-27 11:34:18 UTC
CVE-2017-14767 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14767):

The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c in FFmpeg before 3.3.4 mishandles empty sprop-parameter-sets values, which allows remote attackers to cause a denial of service (heap buffer overflow) or possibly have unspecified other impact via a crafted sdp file. 

References:

https://github.com/FFmpeg/FFmpeg/commit/c42a1388a6d1bfd8001bf6a4241d8ca27e49326d
Comment 1 Aleksandr Wagner (Kivak) 2017-09-27 11:35:40 UTC
Stabilization will occur on bug 630460.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-10-26 00:45:45 UTC
GLSA Vote: No

Cleanup handled in bug #630460