[arch-security] [ASA-201709-10] ffmpeg: denial of service

Levente Polyak anthraxx at archlinux.org
Mon Sep 18 14:33:44 UTC 2017 

Arch Linux Security Advisory ASA-201709-10
==========================================

Severity: Medium
Date    : 2017-09-15
CVE-ID  : CVE-2017-14054 CVE-2017-14055 CVE-2017-14056 CVE-2017-14057
          CVE-2017-14058 CVE-2017-14059 CVE-2017-14169 CVE-2017-14170
          CVE-2017-14171 CVE-2017-14222 CVE-2017-14223 CVE-2017-14225
Package : ffmpeg
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-400

Summary
=======

The package ffmpeg before version 1:3.3.4-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 1:3.3.4-1.

# pacman -Syu "ffmpeg>=1:3.3.4-1"

The problems have been fixed upstream in version 3.3.4.

Workaround
==========

None.

Description
===========

- CVE-2017-14054 (denial of service)

In libavformat/rmdec.c in FFmpeg 3.3.3, a DoS in ivr_read_header() due
to lack of an EOF (End of File) check might cause huge CPU consumption.
When a crafted IVR file, which claims a large "len" field in the header
but does not contain sufficient backing data, is provided, the first
type==4 loop would consume huge CPU resources, since there is no EOF
check inside the loop.

- CVE-2017-14055 (denial of service)

In libavformat/mvdec.c in FFmpeg 3.3.3, a DoS in mv_read_header() due
to lack of an EOF (End of File) check might cause huge CPU and memory
consumption. When a crafted MV file, which claims a large "nb_frames"
field in the header but does not contain sufficient backing data, is
provided, the loop over the frames would consume huge CPU and memory
resources, since there is no EOF check inside the loop.

- CVE-2017-14056 (denial of service)

In libavformat/rl2.c in FFmpeg 3.3.3, a DoS in rl2_read_header() due to
lack of an EOF (End of File) check might cause huge CPU and memory
consumption. When a crafted RL2 file, which claims a large
"frame_count" field in the header but does not contain sufficient
backing data, is provided, the loops (for offset and size tables) would
consume huge CPU and memory resources, since there is no EOF check
inside these loops.

- CVE-2017-14057 (denial of service)

In FFmpeg 3.3.3, a DoS in asf_read_marker() due to lack of an EOF (End
of File) check might cause huge CPU and memory consumption. When a
crafted ASF file, which claims a large "name_len" or "count" field in
the header but does not contain sufficient backing data, is provided,
the loops over the name and markers would consume huge CPU and memory
resources, since there is no EOF check inside these loops.

- CVE-2017-14058 (denial of service)

In FFmpeg 3.3.3, the read_data function in libavformat/hls.c does not
restrict reload attempts for an insufficient list, which allows remote
attackers to cause a denial of service (infinite loop).

- CVE-2017-14059 (denial of service)

In FFmpeg 3.3.3, a DoS in cine_read_header() due to lack of an EOF
check might cause huge CPU and memory consumption. When a crafted CINE
file, which claims a large "duration" field in the header but does not
contain sufficient backing data, is provided, the image-offset parsing
loop would consume huge CPU and memory resources, since there is no EOF
check inside the loop.

- CVE-2017-14169 (denial of service)

In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg
3.3.3, an integer signedness error might occur when a crafted file,
which claims a large "item_num" field such as 0xffffffff, is provided.
As a result, the variable "item_num" turns negative, bypassing the
check for a large value.

- CVE-2017-14170 (denial of service)

In libavformat/mxfdec.c in FFmpeg 3.3.3, a DoS in
mxf_read_index_entry_array() due to lack of an EOF (End of File) check
might cause huge CPU consumption. When a crafted MXF file, which claims
a large "nb_index_entries" field in the header but does not contain
sufficient backing data, is provided, the loop would consume huge CPU
resources, since there is no EOF check inside the loop. Moreover, this
big loop can be invoked multiple times if there is more than one
applicable data segment in the crafted MXF file.

- CVE-2017-14171 (denial of service)

In libavformat/nsvdec.c in FFmpeg 3.3.3, a DoS in
nsv_parse_NSVf_header() due to lack of an EOF (End of File) check might
cause huge CPU consumption. When a crafted NSV file, which claims a
large "table_entries_used" field in the header but does not contain
sufficient backing data, is provided, the loop over
'table_entries_used' would consume huge CPU resources, since there is
no EOF check inside the loop.

- CVE-2017-14222 (denial of service)

In libavformat/mov.c in FFmpeg 3.3.3, a DoS in read_tfra() due to lack
of an EOF (End of File) check might cause huge CPU and memory
consumption. When a crafted MOV file, which claims a large "item_count"
field in the header but does not contain sufficient backing data, is
provided, the loop would consume huge CPU and memory resources, since
there is no EOF check inside the loop.

- CVE-2017-14223 (denial of service)

In libavformat/asfdec_f.c in FFmpeg 3.3.3, a DoS in
asf_build_simple_index() due to lack of an EOF (End of File) check
might cause huge CPU consumption. When a crafted ASF file, which claims
a large "ict" field in the header but does not contain sufficient
backing data, is provided, the for loop would consume huge CPU and
memory resources, since there is no EOF check inside the loop.

- CVE-2017-14225 (denial of service)

The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg
3.3.3 may return a NULL pointer depending on a value contained in a
file, but callers do not anticipate this, as demonstrated by the
avcodec_string function in libavcodec/utils.c, leading to a NULL
pointer dereference. (It is also conceivable that there is security
relevance for a NULL pointer dereference in av_color_primaries_name
calls within the ffprobe command-line program.)

Impact
======

A remote attacker is able to crash the application while watching a HLS
stream. Furthermore an attacker is able to crash the application by
tricking the user into opening a specially crafted video file.

References
==========

https://github.com/FFmpeg/FFmpeg/commit/124eb202e70678539544f6268efc98131f19fa49
https://github.com/FFmpeg/FFmpeg/commit/4f05e2e2dc1a89f38cd9f0960a6561083d714f1e
https://github.com/FFmpeg/FFmpeg/commit/96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de
https://github.com/FFmpeg/FFmpeg/commit/7f9ec5593e04827249e7aeb466da06a98a0d7329
https://github.com/FFmpeg/FFmpeg/commit/7ec414892ddcad88313848494b6fc5f437c9ca4a
https://github.com/FFmpeg/FFmpeg/commit/7e80b63ecd259d69d383623e75b318bf2bd491f6
https://github.com/FFmpeg/FFmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad
https://github.com/FFmpeg/FFmpeg/commit/900f39692ca0337a98a7cf047e4e2611071810c2
https://github.com/FFmpeg/FFmpeg/commit/c24bcb553650b91e9eff15ef6e54ca73de2453b7
https://github.com/FFmpeg/FFmpeg/commit/9cb4eb772839c5e1de2855d126bf74ff16d13382
https://github.com/FFmpeg/FFmpeg/commit/afc9c683ed9db01edb357bc8c19edad4282b3a97
https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2
https://security.archlinux.org/CVE-2017-14054
https://security.archlinux.org/CVE-2017-14055
https://security.archlinux.org/CVE-2017-14056
https://security.archlinux.org/CVE-2017-14057
https://security.archlinux.org/CVE-2017-14058
https://security.archlinux.org/CVE-2017-14059
https://security.archlinux.org/CVE-2017-14169
https://security.archlinux.org/CVE-2017-14170
https://security.archlinux.org/CVE-2017-14171
https://security.archlinux.org/CVE-2017-14222
https://security.archlinux.org/CVE-2017-14223
https://security.archlinux.org/CVE-2017-14225

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170918/e800ab83/attachment.asc>

More information about the arch-security mailing list