CVE-2017-7208 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7208): The decode_residual function in libavcodec in libav 9.21 allows remote attackers to cause a denial of service (buffer over-read) or obtain sensitive information from process memory via a crafted h264 video file. CVE-2017-7206 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7206): The ff_h2645_extract_rbsp function in libavcodec in libav 9.21 allows remote attackers to cause a denial of service (heap-based buffer over-read) or obtain sensitive information from process memory via a crafted h264 video file.
@Maintainers affected version is 9.21, could you confirm if 9.17 is affected? Thank you
CVE-2017-7206: Fixed in 11.11 and 12.2 releases. Not fixed in 9.21 (dying branch? Last release over a year a go). 9.x branch remains unfixed. CVE-2017-7208: Fixed in 12.2. Code is not present in previous versions so no vulnerability.
Tree is free of vulnerable versions. Marking as <12.3 since it is latest stable.