1220549 – (CVE-2023-6604) VUL-0: CVE-2023-6604: ffmpeg,ffmpeg-4: HLS XBIN Demuxer DoS Amplification

Bug 1220549 (CVE-2023-6604) - VUL-0: CVE-2023-6604: ffmpeg,ffmpeg-4: HLS XBIN Demuxer DoS Amplification

Summary: VUL-0: CVE-2023-6604: ffmpeg,ffmpeg-4: HLS XBIN Demuxer DoS Amplification

Status:	NEW

Alias:	CVE-2023-6604

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/395216/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-6604:5.3:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-28 11:03 UTC by SMASH SMASH
Modified:	2024-07-03 05:20 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	stoyan.manolov: needinfo? (gnome-bugs)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-02-28 11:03:38 UTC

FFmpeg Findings 2023.12.01
Overview
Included in this document are five (5) bugs in the open-source package ffmpeg. Internal CVSS 3.1 scoring for these bugs range from 3.9 to 7.2. Attribution for these findings: Harvey Phillips of Amazon Element55 (element55@amazon.com).

If the recipient of this notice (secalert@redhat.com) has any questions regarding these findings, please do not hesitate to contact us at element55@amazon.com.

IV. HLS XBIN Demuxer DoS Amplification
Affected Versions: 2.0 (at least) → 6.0 (latest)

Suggested CVSS 3.1: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary
An instance of FFmpeg that does not enforce an input format can be tricked into demuxing arbitrary data as XBIN-formatted, leading to a considerably larger output file and extended transcoding time.

Impact
Unexpected additional CPU load for transcoding and storage for large files could lead to degraded or denial of service.

Description
If an input to FFmpeg begins with the XBIN header (11 bytes), then the remainder of the input will be as an array of uint16-ts, which each pair of bytes denoting the ASCII character and foreground/background colour respectively. This format allows typical XBIN files to be relatively small. Due to the lack of structure (beyond the 11-byte header), non-XBIN data can be treated as XBIN data without error.
By providing a subsequent input that is very large, FFmpeg will transcode and produce an even larger output. A sample MP4 totalling 16MB and lasting 3m11s took over 3 minutes to transcode and produced a 352MB file with a duration of 43m52s.

Reproduction
Example Input (input.mp4):

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:1,
data://text/plain;base64,WEJJThogABAAEAA==.m3u8
#EXTINF:1,
file:///absolute/path/to/some/file/with/a/media/extension.ext
#EXT-X-ENDLIST

Trigger via: ffmpeg -i input.mp4 output.mp4. The transcoding will take a disproportional amount of time and output.mp4 will be much larger than the input. Alternatively, you could replace the file:// URI with a data:// URI and provide the input data directly.

Remediation
The XBIN demuxer should only be triggered if the input file extension matches a known value, e.g. .XB.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6604
https://bugzilla.redhat.com/show_bug.cgi?id=2253172