SB2016122311 - Information disclosure in ffmpeg.sourceforge.net FFmpeg

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2016-7555)

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The avi_read_header function in libavformat/avidec.c in FFmpeg before 3.1.4 is vulnerable to memory leak when decoding an AVI file that has a crafted "strh" structure.

Remediation

Install update from vendor's website.

References

• http://www.openwall.com/lists/oss-security/2016/10/08/1
• http://www.securityfocus.com/bid/94838
• https://security.gentoo.org/glsa/201701-71