Multiple vulnerabilities in ffmpeg.sourceforge.net FFmpeg
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 16 |
| CVE-ID | CVE-2013-7021 CVE-2013-7022 CVE-2013-7023 CVE-2013-7024 CVE-2013-7015 CVE-2013-7016 CVE-2013-7017 CVE-2013-7018 CVE-2013-7019 CVE-2013-7010 CVE-2013-7011 CVE-2013-7012 CVE-2013-7013 CVE-2013-7014 CVE-2013-7008 CVE-2013-7009 |
| CWE-ID | CWE-399 CWE-119 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
FFmpeg Universal components / Libraries / Libraries used by multiple products |
| Vendor | ffmpeg.sourceforge.net |
Security Bulletin
This security bulletin contains information about 16 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU42251
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7021
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The filter_frame function in libavfilter/vf_fps.c in FFmpeg before 2.1 does not properly ensure the availability of FIFO content, which allows remote attackers to cause a denial of service (double free) or possibly have unspecified other impact via crafted data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/cdd5df8189ff1537f7abe8defe971f80602cc2d2
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2905
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU42252
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7022
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The g2m_init_buffers function in libavcodec/g2meet.c in FFmpeg before 2.1 does not properly allocate memory for tiles, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Go2Webinar data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/e07ac727c1cc9eed39e7f9117c97006f719864bd
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2971
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU42253
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7023
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The ff_combine_frame function in libavcodec/parser.c in FFmpeg before 2.1 does not properly handle certain memory-allocation errors, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/f31011e9abfb2ae75bb32bc44e2c34194c8dc40a
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2982
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU42254
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7024
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The jpeg2000_decode_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not consider the component number in certain calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/fe448cd28d674c3eff3072552eae366d0b659ce9
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2921
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU42255
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7015
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The flashsv_decode_frame function in libavcodec/flashsv.c in FFmpeg before 2.1 does not properly validate a certain height value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Flash Screen Video data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://www.debian.org/security/2014/dsa-2855
https://github.com/FFmpeg/FFmpeg/commit/880c73cd76109697447fbfbaa8e5ee5683309446
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2844
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU42256
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7016
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The get_siz function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not ensure the expected sample separation, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/8bb11c3ca77b52e05a9ed1496a65f8a76e6e2d8f
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2848
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU42257
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7017
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via crafted JPEG2000 data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/912ce9dd2080c5837285a471d750fa311e09b555
https://security.gentoo.org/glsa/201603-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Buffer overflow
EUVDB-ID: #VU42258
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7018
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not ensure the use of valid code-block dimension values, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/9a271a9368eaabf99e6c2046103acb33957e63b7
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU42259
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7019
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The get_cox function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not properly validate the reduction factor, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/a1b9004b768bef606ee98d417bceb9392ceb788d
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2898
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU42261
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7010
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg before 2.1 allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v9.11
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://www.debian.org/security/2014/dsa-2855
https://github.com/FFmpeg/FFmpeg/commit/454a11a1c9c686c78aa97954306fb63453299760
https://security.gentoo.org/glsa/201603-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU42262
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7011
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 does not prevent changes to global parameters, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted FFV1 data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/547d690d676064069d44703a1917e0dab7e33445
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2906
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU42263
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7012
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The get_siz function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not prevent attempts to use non-zero image offsets, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/780669ef7c23c00836a24921fcc6b03be2b8ca4a
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/3080
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Input validation error
EUVDB-ID: #VU42264
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7013
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The g2m_init_buffers function in libavcodec/g2meet.c in FFmpeg before 2.1 uses an incorrect ordering of arithmetic operations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Go2Webinar data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/821a5938d100458f4d09d634041b05c860554ce0
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2922
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Input validation error
EUVDB-ID: #VU42265
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7014
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Integer signedness error in the add_bytes_l2_c function in libavcodec/pngdsp.c in FFmpeg before 2.1 allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted PNG data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v9.11
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://www.debian.org/security/2014/dsa-2855
https://github.com/FFmpeg/FFmpeg/commit/86736f59d6a527d8bc807d09b93f971c0fe0bb07
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2919
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Input validation error
EUVDB-ID: #VU42266
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7008
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The decode_slice_header function in libavcodec/h264.c in FFmpeg before 2.1 incorrectly relies on a certain droppable field, which allows remote attackers to cause a denial of service (deadlock) or possibly have unspecified other impact via crafted H.264 data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/29ffeef5e73b8f41ff3a3f2242d356759c66f91f
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2927
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Buffer overflow
EUVDB-ID: #VU42267
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-7009
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before 2.1 does not properly maintain a pointer to pixel data, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Apple RPZA data.
MitigationInstall update from vendor's website.
Vulnerable software versionsFFmpeg: 0.3 - 2.0
CPE2.3- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg_sourceforge_net:ffmpeg:0.3.2:*:*:*:*:*:*:*
https://ffmpeg.org/security.html
https://openwall.com/lists/oss-security/2013/11/26/7
https://openwall.com/lists/oss-security/2013/12/08/3
https://github.com/FFmpeg/FFmpeg/commit/3819db745da2ac7fb3faacb116788c32f4753f34
https://security.gentoo.org/glsa/201603-06
https://trac.ffmpeg.org/ticket/2850
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
