First Last Prev Next    This bug is not in your last search results.
Bug 1102688 - (CVE-2018-1999012) VUL-1: CVE-2018-1999012: ffmpeg: Infinite loop vulnerability in pva format demuxer
(CVE-2018-1999012)
VUL-1: CVE-2018-1999012: ffmpeg: Infinite loop vulnerability in pva format de...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/211436/
CVSSv3:SUSE:CVE-2018-1999012:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-26 06:17 UTC by Karol Babioch
Modified: 2018-11-21 23:40 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-07-26 06:17:51 UTC 
CVE-2018-1999012

FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a
CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a
Vulnerability that allows attackers to consume excessive amount of resources
like CPU and RAM. This attack appear to be exploitable via specially crafted PVA
file has to be provided as input. This vulnerability appears to have been fixed
in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 and later.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1999012
https://github.com/FFmpeg/FFmpeg/commit/9807d3976be0e92e4ece3b4b1701be894cd7c2e1
Comment 3 Swamp Workflow Management 2018-08-11 01:10:22 UTC 
SUSE-SU-2018:2305-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1100356,1102687,1102688,1102689,1102899
CVE References: CVE-2018-13302,CVE-2018-1999010,CVE-2018-1999011,CVE-2018-1999012,CVE-2018-1999013
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    ffmpeg-3.4.2-4.5.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ffmpeg-3.4.2-4.5.1
Comment 4 Scott Reeves 2018-08-17 22:13:46 UTC 
Hi Yifan, can you have your team take this. Thanks.
Comment 6 Qiang Zheng 2018-08-28 09:21:06 UTC 
The fix is available.
Comment 7 Marcus Meissner 2018-11-09 07:09:59 UTC 
released
First Last Prev Next    This bug is not in your last search results.