Bug 1070762 - (CVE-2017-17081) VUL-0: CVE-2017-17081: ffmpeg: The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 3.4 does notproperly validate widths and heights, which allows remote attackers to cause adenial of service (integer signedness error and out-of-array
(CVE-2017-17081)
VUL-0: CVE-2017-17081: ffmpeg: The gmc_mmx function in libavcodec/x86/mpegvid...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Maintenance
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Jan Engelhardt
Security Team bot
https://smash.suse.de/issue/196004/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-01 10:44 UTC by Victor Pereira
Modified: 2021-09-11 02:37 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-12-01 10:44:25 UTC
CVE-2017-17081

The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 3.4 does not
properly validate widths and heights, which allows remote attackers to cause a
denial of service (integer signedness error and out-of-array read) via a crafted
MPEG file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17081
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17081.html
http://www.cvedetails.com/cve/CVE-2017-17081/
https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2017-November/219748.html
https://github.com/FFmpeg/FFmpeg/commit/58cf31cee7a456057f337b3102a03206d833d5e8
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3516#c1
Comment 1 Swamp Workflow Management 2018-02-12 13:50:19 UTC
This is an autogenerated message for OBS integration:
This bug (1070762) was mentioned in
https://build.opensuse.org/request/show/575779 42.3 / ffmpeg
Comment 2 Swamp Workflow Management 2018-02-19 14:10:32 UTC
openSUSE-SU-2018:0470-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1064577,1066428,1069407,1070762,1072366,1078488,1079368
CVE References: CVE-2017-15186,CVE-2017-15672,CVE-2017-16840,CVE-2017-17081,CVE-2017-17555,CVE-2018-6392,CVE-2018-6621
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ffmpeg-3.4.2-14.1
Comment 3 Swamp Workflow Management 2018-02-19 14:16:05 UTC
openSUSE-SU-2018:0476-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1064577,1066428,1069407,1070762,1072366,1078488,1079368
CVE References: CVE-2017-15186,CVE-2017-15672,CVE-2017-16840,CVE-2017-17081,CVE-2017-17555,CVE-2018-6392,CVE-2018-6621
Sources used:
openSUSE Leap 42.3 (src):    ffmpeg-3.4.2-10.1
Comment 6 Jan Engelhardt 2018-03-08 01:06:03 UTC
.
Comment 7 Swamp Workflow Management 2018-07-18 14:42:21 UTC
This is an autogenerated message for OBS integration:
This bug (1070762) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq