First Last Prev Next    This bug is not in your last search results.
Bug 1022922 - (CVE-2016-10192) VUL-0: CVE-2016-10192: ffmpeg: remote exploitaion results code execution [ 3 - ffserver.c ]
(CVE-2016-10192)
VUL-0: CVE-2016-10192: ffmpeg: remote exploitaion results code execution [ 3 ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.2
: P3 - Medium : Normal
: unspecified
Assigned To: Jan Engelhardt
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-01 00:12 UTC by Mikhail Kasimov
Modified: 2021-09-11 02:35 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-01 00:12:45 UTC 
Ref: http://seclists.org/oss-sec/2017/q1/245
===================================================
This letter is a result of research made by Emil Lerner <neex.emil () gmail com <mailto:neex.emil () gmail com>> and 
Pavel Cheremushkin <paulcher () seclab cs msu su <mailto:paulcher () seclab cs msu su>> and it is supposed to disclosed 
multiple issues we managed to find and exploit in FFmpeg software. Despite that all vulnerabilities have been 
successfully patched by FFmpeg developers this letter is supposed to clarify all these issues and show that they are 
exploitable.

--[ 3 - ffserver.c ]

This issue is completely like the first one and it results heap overflow.

This issue was fixed in https://github.com/FFmpeg/FFmpeg/commit/a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156
===================================================

Comment on Ref: http://seclists.org/oss-sec/2017/q1/251
===================================================
In case anyone else is curious, here are the corresponding commits
reachable from the n3.2.2 release tag:

https://github.com/FFmpeg/FFmpeg/commit/c12ee64e80af2517005231388fdf4ea78f16bb0e
===================================================

(open-)SUSE: https://software.opensuse.org/package/ffmpeg

TW: 3.2.22
42.2: 3.2
42.1: 2.8.8
Comment 1 Swamp Workflow Management 2017-02-01 23:01:14 UTC 
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2017-04-18 14:00:53 UTC 
This is an autogenerated message for OBS integration:
This bug (1022922) was mentioned in
https://build.opensuse.org/request/show/489097 Factory / ffmpeg
Comment 3 Bernhard Wiedemann 2017-04-18 16:01:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1022922) was mentioned in
https://build.opensuse.org/request/show/489106 42.2 / ffmpeg
Comment 4 Bernhard Wiedemann 2017-04-18 18:01:25 UTC 
This is an autogenerated message for OBS integration:
This bug (1022922) was mentioned in
https://build.opensuse.org/request/show/489155 42.1 / ffmpeg
Comment 5 Swamp Workflow Management 2017-04-28 10:09:17 UTC 
openSUSE-SU-2017:1121-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022920,1022921,1022922,1034176,1034177,1034179,1034181,1034183
CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2017-7859,CVE-2017-7862,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
openSUSE Leap 42.2 (src):    ffmpeg-3.3-6.6.1
Comment 6 Swamp Workflow Management 2017-05-29 16:09:46 UTC 
openSUSE-SU-2017:1433-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015120,1022920,1022921,1022922,1034176,1034177,1034179
CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
openSUSE Leap 42.2 (src):    ffmpeg2-2.8.11-25.3.1
Comment 7 Swamp Workflow Management 2017-06-11 13:11:14 UTC 
openSUSE-SU-2017:1531-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015120,1022921,1022922
CVE References: CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-5024,CVE-2017-5025
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ffmpeg-3.1.8-8.1
Comment 8 Swamp Workflow Management 2017-06-11 13:12:38 UTC 
openSUSE-SU-2017:1532-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1015120,1022921,1022922,1034176,1034177,1034179,980542
CVE References: CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ffmpeg2-2.8.11-12.1
Comment 9 Marcus Meissner 2017-06-12 06:58:00 UTC 
released
Comment 10 Swamp Workflow Management 2017-09-15 22:13:20 UTC 
openSUSE-SU-2017:2502-1: An update that solves 20 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1015120,1022920,1022921,1022922,1034176,1034177,1034179,1046211,1049095,1056760,1056761,1056762,1056763,1056765,1056766,1057536,1057537,1057539,1058018,1058019,1058020
CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-11399,CVE-2017-14054,CVE-2017-14055,CVE-2017-14056,CVE-2017-14057,CVE-2017-14058,CVE-2017-14059,CVE-2017-14169,CVE-2017-14170,CVE-2017-14171,CVE-2017-14222,CVE-2017-14223,CVE-2017-14225,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
openSUSE Leap 42.3 (src):    ffmpeg-3.3.4-7.1, ffmpeg2-2.8.13-32.1, lame-3.99.5-2.1, twolame-0.3.13-2.1
Comment 11 Swamp Workflow Management 2018-07-18 14:40:28 UTC 
This is an autogenerated message for OBS integration:
This bug (1022922) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq
First Last Prev Next    This bug is not in your last search results.