Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636736 (CVE-2017-15672) - <media-video/ffmpeg-3.3.5: read_header function in libavcodec/ffv1dec.c triggers an out-of-bounds read.
Summary: <media-video/ffmpeg-3.3.5: read_header function in libavcodec/ffv1dec.c trigg...
Status: RESOLVED FIXED
Alias: CVE-2017-15672
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-16840
Blocks:
  Show dependency tree
 
Reported: 2017-11-06 20:08 UTC by D'juan McDonald (domhnall)
Modified: 2018-05-19 22:07 UTC (History)
1 user (show)

See Also:
Package list:
=media-video/ffmpeg-3.3.5
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-11-06 20:08:00 UTC
CVE-2017-15672(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15672):

The read_header function in libavcodec/ffv1dec.c in FFmpeg 3.3.4 and earlier allows remote attackers to have unspecified impact via a crafted MP4 file, which triggers an out-of-bounds read.

Patch:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c20f4fcb74da2d0432c7b54499bb98f48236b904

@maintainer(s), after bump, please call for stabilization, thank you.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 1 Alexis Ballier gentoo-dev 2017-11-10 09:06:36 UTC
this is fixed in 3.3.5 that is good to go stable
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-10 15:46:37 UTC
@arches, please stabilize.
Comment 3 Stabilization helper bot gentoo-dev 2017-11-10 16:01:40 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.5.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.5.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
Comment 4 Thomas Deutschmann gentoo-dev 2017-11-11 18:06:51 UTC
x86 stable
Comment 5 Stabilization helper bot gentoo-dev 2017-11-11 19:01:50 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.5.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.5.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-12 10:17:07 UTC
ia64 stable
Comment 7 Stabilization helper bot gentoo-dev 2017-11-12 11:01:37 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.5.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.5.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-11-13 15:33:48 UTC
amd64 stable
Comment 9 Stabilization helper bot gentoo-dev 2017-11-13 16:01:29 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.5.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.5.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
Comment 10 Markus Meier gentoo-dev 2017-11-19 15:17:39 UTC
arm stable
Comment 11 Stabilization helper bot gentoo-dev 2017-11-19 16:01:38 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-29 12:41:54 UTC
ppc64 stable
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-05-19 22:07:14 UTC
cleanup will occur in bug #639698

GLSA Vote: No