Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685862 (CVE-2019-11338, CVE-2019-9718, CVE-2019-9721) - <media-video/ffmpeg-{3.4.6,4.1.3}: multiple vulnerabilities (CVE-2019-{9718,9721,11338})
Summary: <media-video/ffmpeg-{3.4.6,4.1.3}: multiple vulnerabilities (CVE-2019-{9718,9...
Status: IN_PROGRESS
Alias: CVE-2019-11338, CVE-2019-9718, CVE-2019-9721
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-13 15:38 UTC by GLSAMaker/CVETool Bot
Modified: 2019-05-13 15:39 UTC (History)
1 user (show)

See Also:
Package list:
media-video/ffmpeg-3.4.6
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 15:38:16 UTC
CVE-2019-9718 (https://nvd.nist.gov/vuln/detail/CVE-2019-9718):
  In FFmpeg 4.1, a denial of service in the subtitle decoder allows attackers
  to hog the CPU via a crafted video file in Matroska format, because
  ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format
  argument to sscanf.

CVE-2019-9721 (https://nvd.nist.gov/vuln/detail/CVE-2019-9721):
  A denial of service in the subtitle decoder in FFmpeg 4.1 allows attackers
  to hog the CPU via a crafted video file in Matroska format, because
  handle_open_brace in libavcodec/htmlsubtitles.c has a complex format
  argument to sscanf.

CVE-2019-11338 (https://nvd.nist.gov/vuln/detail/CVE-2019-11338):
  libavcodec/hevcdec.c in FFmpeg 4.1.2 mishandles detection of duplicate first
  slices, which allows remote attackers to cause a denial of service (NULL
  pointer dereference and out-of-array access) or possibly have unspecified
  other impact via crafted HEVC data.