SB2017090904 - NULL pointer dereference in ffmpeg.sourceforge.net FFmpeg

Description

This security bulletin contains information about 1 security vulnerability.

1) NULL pointer dereference (CVE-ID: CVE-2017-14225)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program. A remote attacker can perform a denial of service (DoS) attack.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://www.debian.org/security/2017/dsa-3996
• http://www.securityfocus.com/bid/100704
• https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2
• https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2017-August/215198.html