Bug 1072366 - (CVE-2017-17555) VUL-1: CVE-2017-17555: ffmpeg: The swri_audio_convert function allows remote attackers to cause a DoS
(CVE-2017-17555)
VUL-1: CVE-2017-17555: ffmpeg: The swri_audio_convert function allows remote ...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other openSUSE Factory
: P4 - Low : Normal (vote)
: ---
Assigned To: Jan Engelhardt
Security Team bot
https://smash.suse.de/issue/196470/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-12 10:59 UTC by Johannes Segitz
Modified: 2021-09-11 02:37 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-12-12 10:59:24 UTC
CVE-2017-17555

The swri_audio_convert function in audioconvert.c in FFmpeg libswresample
through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6, and other products,
allows remote attackers to cause a denial of service (NULL pointer dereference
and application crash) via a crafted audio file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17555
https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference%28DoS%29%20Vulnerability%20was%20found%20in%20function%20swri_audio_convert%20of%20ffmpeg%20libswresample.md
Comment 1 Swamp Workflow Management 2018-02-12 13:50:23 UTC
This is an autogenerated message for OBS integration:
This bug (1072366) was mentioned in
https://build.opensuse.org/request/show/575779 42.3 / ffmpeg
Comment 2 Johannes Segitz 2018-02-14 07:32:02 UTC
what information do you need?
Comment 3 Jan Engelhardt 2018-02-14 09:09:24 UTC
Oh. I had originally set it to ask for where the bug actually is, but then found out myself.
Comment 4 Swamp Workflow Management 2018-02-19 14:10:40 UTC
openSUSE-SU-2018:0470-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1064577,1066428,1069407,1070762,1072366,1078488,1079368
CVE References: CVE-2017-15186,CVE-2017-15672,CVE-2017-16840,CVE-2017-17081,CVE-2017-17555,CVE-2018-6392,CVE-2018-6621
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ffmpeg-3.4.2-14.1
Comment 5 Swamp Workflow Management 2018-02-19 14:16:14 UTC
openSUSE-SU-2018:0476-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1064577,1066428,1069407,1070762,1072366,1078488,1079368
CVE References: CVE-2017-15186,CVE-2017-15672,CVE-2017-16840,CVE-2017-17081,CVE-2017-17555,CVE-2018-6392,CVE-2018-6621
Sources used:
openSUSE Leap 42.3 (src):    ffmpeg-3.4.2-10.1
Comment 8 Jan Engelhardt 2018-03-08 01:05:58 UTC
.
Comment 9 Swamp Workflow Management 2018-07-18 14:42:24 UTC
This is an autogenerated message for OBS integration:
This bug (1072366) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq