CVE-2017-9995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9995): libavcodec/scpr.c in FFmpeg 3.3 before 3.3.1 does not properly validate height and width data, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. CVE-2017-9990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9990): Stack-based buffer overflow in the color_string_to_rgba function in libavcodec/xpmdec.c in FFmpeg 3.3 before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file. @Maintainers we have older versions, could you please confirm if those are vulnerable? Thanks
GLSA Vote: No Cleanup handled in bug #630460