Bug 1072366 (CVE-2017-17555)

Summary: VUL-1: CVE-2017-17555: ffmpeg: The swri_audio_convert function allows remote attackers to cause a DoS
Product: [openSUSE] openSUSE Distribution Reporter: Johannes Segitz <jsegitz>
Component: SecurityAssignee: Jan Engelhardt <jengelh>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: jsegitz
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE Factory   
URL: https://smash.suse.de/issue/196470/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-12-12 10:59:24 UTC
CVE-2017-17555

The swri_audio_convert function in audioconvert.c in FFmpeg libswresample
through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6, and other products,
allows remote attackers to cause a denial of service (NULL pointer dereference
and application crash) via a crafted audio file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17555
https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference%28DoS%29%20Vulnerability%20was%20found%20in%20function%20swri_audio_convert%20of%20ffmpeg%20libswresample.md
Comment 1 Swamp Workflow Management 2018-02-12 13:50:23 UTC
This is an autogenerated message for OBS integration:
This bug (1072366) was mentioned in
https://build.opensuse.org/request/show/575779 42.3 / ffmpeg
Comment 2 Johannes Segitz 2018-02-14 07:32:02 UTC
what information do you need?
Comment 3 Jan Engelhardt 2018-02-14 09:09:24 UTC
Oh. I had originally set it to ask for where the bug actually is, but then found out myself.
Comment 4 Swamp Workflow Management 2018-02-19 14:10:40 UTC
openSUSE-SU-2018:0470-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1064577,1066428,1069407,1070762,1072366,1078488,1079368
CVE References: CVE-2017-15186,CVE-2017-15672,CVE-2017-16840,CVE-2017-17081,CVE-2017-17555,CVE-2018-6392,CVE-2018-6621
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ffmpeg-3.4.2-14.1
Comment 5 Swamp Workflow Management 2018-02-19 14:16:14 UTC
openSUSE-SU-2018:0476-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1064577,1066428,1069407,1070762,1072366,1078488,1079368
CVE References: CVE-2017-15186,CVE-2017-15672,CVE-2017-16840,CVE-2017-17081,CVE-2017-17555,CVE-2018-6392,CVE-2018-6621
Sources used:
openSUSE Leap 42.3 (src):    ffmpeg-3.4.2-10.1
Comment 8 Jan Engelhardt 2018-03-08 01:05:58 UTC
.
Comment 9 Swamp Workflow Management 2018-07-18 14:42:24 UTC
This is an autogenerated message for OBS integration:
This bug (1072366) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq