SB2017120742 - NULL pointer dereference in ffmpeg (Alpine package)
Published: December 7, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) NULL pointer dereference (CVE-ID: CVE-2017-14225)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program. A remote attacker can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=b1cb7063482eddce57992920a78e763bb3f8eea7
- https://git.alpinelinux.org/aports/commit/?id=beb6c402470c5f9bc5bcd17d8b57bfbd52785ec6
- https://git.alpinelinux.org/aports/commit/?id=48e351c55b295e4281b7bc1b8a0223bc878c1bf3
- https://git.alpinelinux.org/aports/commit/?id=1012b905bec72936b78cbe2de9cff631fc0b695b