Bugzilla – Bug 1022921
VUL-0: CVE-2016-10191: ffmpeg: remote exploitaion results code execution [ 2 - libavformat/rtmppkt.c ]
Last modified: 2021-09-11 02:35:15 UTC
Ref: http://seclists.org/oss-sec/2017/q1/245 =================================================== This letter is a result of research made by Emil Lerner <neex.emil () gmail com <mailto:neex.emil () gmail com>> and Pavel Cheremushkin <paulcher () seclab cs msu su <mailto:paulcher () seclab cs msu su>> and it is supposed to disclosed multiple issues we managed to find and exploit in FFmpeg software. Despite that all vulnerabilities have been successfully patched by FFmpeg developers this letter is supposed to clarify all these issues and show that they are exploitable. --[ 2 - libavformat/rtmppkt.c ] Issue is connected with buffer overflow on the heap in RTMP protocol. After a bit of reverse engineering of RTMP protocol you can notice that it uses chunk (of max 0x80 bytes) to _transfer_ data, but chunks of more size could be used to _store_ the data. Because size of packet is not check that it is the same as it was in the same transmission you can first send packet with smaller size and then bigger size, and this results heap-overflow[1]. If you can align chunks right you can achieve white-what-where condition and that results and RCE. * [1] - https://github.com/FFmpeg/FFmpeg/blob/d903b4e3ad4a81b3dd79f12c2f3b9cb16e511173/libavformat/rtmppkt.c#L268 The issue was fixed in https://github.com/FFmpeg/FFmpeg/commit/7d57ca4d9a75562fa32e40766211de150f8b3ee7 =================================================== Comment on Ref: http://seclists.org/oss-sec/2017/q1/251 =================================================== In case anyone else is curious, here are the corresponding commits reachable from the n3.2.2 release tag: https://github.com/FFmpeg/FFmpeg/commit/32b95471a86ae383c0f76361d954aec511f7043a =================================================== (open-)SUSE: https://software.opensuse.org/package/ffmpeg TW: 3.2.22 42.2: 3.2 42.1: 2.8.8
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (1022921) was mentioned in https://build.opensuse.org/request/show/489097 Factory / ffmpeg
This is an autogenerated message for OBS integration: This bug (1022921) was mentioned in https://build.opensuse.org/request/show/489106 42.2 / ffmpeg
This is an autogenerated message for OBS integration: This bug (1022921) was mentioned in https://build.opensuse.org/request/show/489155 42.1 / ffmpeg
openSUSE-SU-2017:1121-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1022920,1022921,1022922,1034176,1034177,1034179,1034181,1034183 CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2017-7859,CVE-2017-7862,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866 Sources used: openSUSE Leap 42.2 (src): ffmpeg-3.3-6.6.1
openSUSE-SU-2017:1433-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1015120,1022920,1022921,1022922,1034176,1034177,1034179 CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866 Sources used: openSUSE Leap 42.2 (src): ffmpeg2-2.8.11-25.3.1
openSUSE-SU-2017:1531-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1015120,1022921,1022922 CVE References: CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-5024,CVE-2017-5025 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): ffmpeg-3.1.8-8.1
openSUSE-SU-2017:1532-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1015120,1022921,1022922,1034176,1034177,1034179,980542 CVE References: CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): ffmpeg2-2.8.11-12.1
released
openSUSE-SU-2017:2502-1: An update that solves 20 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1015120,1022920,1022921,1022922,1034176,1034177,1034179,1046211,1049095,1056760,1056761,1056762,1056763,1056765,1056766,1057536,1057537,1057539,1058018,1058019,1058020 CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-11399,CVE-2017-14054,CVE-2017-14055,CVE-2017-14056,CVE-2017-14057,CVE-2017-14058,CVE-2017-14059,CVE-2017-14169,CVE-2017-14170,CVE-2017-14171,CVE-2017-14222,CVE-2017-14223,CVE-2017-14225,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866 Sources used: openSUSE Leap 42.3 (src): ffmpeg-3.3.4-7.1, ffmpeg2-2.8.13-32.1, lame-3.99.5-2.1, twolame-0.3.13-2.1
This is an autogenerated message for OBS integration: This bug (1022921) was mentioned in https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq