Ubuntu update for FFmpeg
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2018-15822 CVE-2019-11338 CVE-2019-11339 CVE-2019-9718 CVE-2019-9721 |
| CWE-ID | CWE-617 CWE-476 CWE-119 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ffmpeg (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Assertion failure
EUVDB-ID: #VU14532
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15822
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists due to insufficient checks for an empty audio packet by the flv_write_packet function, as defined in the libavformat/flvenc.c source code file. A local attacker can access the system and execute a specially crafted application that submits malicious input to trigger an assertion failure and cause the service to crash.
MitigationUpdate the affected packages.
- Ubuntu 19.04
- ffmpeg - 7:4.1.3-0ubuntu1
- libavcodec-extra58 - 7:4.1.3-0ubuntu1
- libavcodec58 - 7:4.1.3-0ubuntu1
- libavdevice58 - 7:4.1.3-0ubuntu1
- libavfilter-extra7 - 7:4.1.3-0ubuntu1
- libavfilter7 - 7:4.1.3-0ubuntu1
- libavformat58 - 7:4.1.3-0ubuntu1
- libavresample4 - 7:4.1.3-0ubuntu1
- libavutil56 - 7:4.1.3-0ubuntu1
- libpostproc55 - 7:4.1.3-0ubuntu1
- libswresample3 - 7:4.1.3-0ubuntu1
- libswscale5 - 7:4.1.3-0ubuntu1
- Ubuntu 18.10
- ffmpeg - 7:4.0.4-0ubuntu1
- libavcodec-extra58 - 7:4.0.4-0ubuntu1
- libavcodec58 - 7:4.0.4-0ubuntu1
- libavdevice58 - 7:4.0.4-0ubuntu1
- libavfilter-extra7 - 7:4.0.4-0ubuntu1
- libavfilter7 - 7:4.0.4-0ubuntu1
- libavformat58 - 7:4.0.4-0ubuntu1
- libavresample4 - 7:4.0.4-0ubuntu1
- libavutil56 - 7:4.0.4-0ubuntu1
- libpostproc55 - 7:4.0.4-0ubuntu1
- libswresample3 - 7:4.0.4-0ubuntu1
- libswscale5 - 7:4.0.4-0ubuntu1
- Ubuntu 18.04 LTS
- ffmpeg - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec-extra57 - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec57 - 7:3.4.6-0ubuntu0.18.04.1
- libavdevice57 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter-extra6 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter6 - 7:3.4.6-0ubuntu0.18.04.1
- libavformat57 - 7:3.4.6-0ubuntu0.18.04.1
- libavresample3 - 7:3.4.6-0ubuntu0.18.04.1
- libavutil55 - 7:3.4.6-0ubuntu0.18.04.1
- libpostproc54 - 7:3.4.6-0ubuntu0.18.04.1
- libswresample2 - 7:3.4.6-0ubuntu0.18.04.1
- libswscale4 - 7:3.4.6-0ubuntu0.18.04.1
ffmpeg (Ubuntu package): 7:4.0-1 - 7:4.1.1-1
External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) NULL pointer dereference
EUVDB-ID: #VU18318
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11338
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when detecting duplicate first slices within libavcodec/hevcdec.c file. A remote attacker can trigger denial of service conditions via crafted HEVC data.
MitigationUpdate the affected packages.
- Ubuntu 19.04
- ffmpeg - 7:4.1.3-0ubuntu1
- libavcodec-extra58 - 7:4.1.3-0ubuntu1
- libavcodec58 - 7:4.1.3-0ubuntu1
- libavdevice58 - 7:4.1.3-0ubuntu1
- libavfilter-extra7 - 7:4.1.3-0ubuntu1
- libavfilter7 - 7:4.1.3-0ubuntu1
- libavformat58 - 7:4.1.3-0ubuntu1
- libavresample4 - 7:4.1.3-0ubuntu1
- libavutil56 - 7:4.1.3-0ubuntu1
- libpostproc55 - 7:4.1.3-0ubuntu1
- libswresample3 - 7:4.1.3-0ubuntu1
- libswscale5 - 7:4.1.3-0ubuntu1
- Ubuntu 18.10
- ffmpeg - 7:4.0.4-0ubuntu1
- libavcodec-extra58 - 7:4.0.4-0ubuntu1
- libavcodec58 - 7:4.0.4-0ubuntu1
- libavdevice58 - 7:4.0.4-0ubuntu1
- libavfilter-extra7 - 7:4.0.4-0ubuntu1
- libavfilter7 - 7:4.0.4-0ubuntu1
- libavformat58 - 7:4.0.4-0ubuntu1
- libavresample4 - 7:4.0.4-0ubuntu1
- libavutil56 - 7:4.0.4-0ubuntu1
- libpostproc55 - 7:4.0.4-0ubuntu1
- libswresample3 - 7:4.0.4-0ubuntu1
- libswscale5 - 7:4.0.4-0ubuntu1
- Ubuntu 18.04 LTS
- ffmpeg - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec-extra57 - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec57 - 7:3.4.6-0ubuntu0.18.04.1
- libavdevice57 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter-extra6 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter6 - 7:3.4.6-0ubuntu0.18.04.1
- libavformat57 - 7:3.4.6-0ubuntu0.18.04.1
- libavresample3 - 7:3.4.6-0ubuntu0.18.04.1
- libavutil55 - 7:3.4.6-0ubuntu0.18.04.1
- libpostproc54 - 7:3.4.6-0ubuntu0.18.04.1
- libswresample2 - 7:3.4.6-0ubuntu0.18.04.1
- libswscale4 - 7:3.4.6-0ubuntu0.18.04.1
ffmpeg (Ubuntu package): 7:4.0-1 - 7:4.1.1-1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU18319
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11339
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the studio profile decoder in libavcodec/mpeg4videodec.c when processing MPEG-4 video data. A remote attacker can create a specially crafted video file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
- Ubuntu 19.04
- ffmpeg - 7:4.1.3-0ubuntu1
- libavcodec-extra58 - 7:4.1.3-0ubuntu1
- libavcodec58 - 7:4.1.3-0ubuntu1
- libavdevice58 - 7:4.1.3-0ubuntu1
- libavfilter-extra7 - 7:4.1.3-0ubuntu1
- libavfilter7 - 7:4.1.3-0ubuntu1
- libavformat58 - 7:4.1.3-0ubuntu1
- libavresample4 - 7:4.1.3-0ubuntu1
- libavutil56 - 7:4.1.3-0ubuntu1
- libpostproc55 - 7:4.1.3-0ubuntu1
- libswresample3 - 7:4.1.3-0ubuntu1
- libswscale5 - 7:4.1.3-0ubuntu1
- Ubuntu 18.10
- ffmpeg - 7:4.0.4-0ubuntu1
- libavcodec-extra58 - 7:4.0.4-0ubuntu1
- libavcodec58 - 7:4.0.4-0ubuntu1
- libavdevice58 - 7:4.0.4-0ubuntu1
- libavfilter-extra7 - 7:4.0.4-0ubuntu1
- libavfilter7 - 7:4.0.4-0ubuntu1
- libavformat58 - 7:4.0.4-0ubuntu1
- libavresample4 - 7:4.0.4-0ubuntu1
- libavutil56 - 7:4.0.4-0ubuntu1
- libpostproc55 - 7:4.0.4-0ubuntu1
- libswresample3 - 7:4.0.4-0ubuntu1
- libswscale5 - 7:4.0.4-0ubuntu1
- Ubuntu 18.04 LTS
- ffmpeg - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec-extra57 - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec57 - 7:3.4.6-0ubuntu0.18.04.1
- libavdevice57 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter-extra6 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter6 - 7:3.4.6-0ubuntu0.18.04.1
- libavformat57 - 7:3.4.6-0ubuntu0.18.04.1
- libavresample3 - 7:3.4.6-0ubuntu0.18.04.1
- libavutil55 - 7:3.4.6-0ubuntu0.18.04.1
- libpostproc54 - 7:3.4.6-0ubuntu0.18.04.1
- libswresample2 - 7:3.4.6-0ubuntu0.18.04.1
- libswscale4 - 7:3.4.6-0ubuntu0.18.04.1
ffmpeg (Ubuntu package): 7:4.0-1 - 7:4.1.1-1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU18320
Risk: Low
CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9718
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the subtitle decoder in ff_htmlmarkup_to_ass() function in libavcodec/htmlsubtitles.c when processing video files in Matroska format. A remote attacker can create a specially crafted video file, pass it to the affected application and consume all available CPU resources.
MitigationUpdate the affected packages.
- Ubuntu 19.04
- ffmpeg - 7:4.1.3-0ubuntu1
- libavcodec-extra58 - 7:4.1.3-0ubuntu1
- libavcodec58 - 7:4.1.3-0ubuntu1
- libavdevice58 - 7:4.1.3-0ubuntu1
- libavfilter-extra7 - 7:4.1.3-0ubuntu1
- libavfilter7 - 7:4.1.3-0ubuntu1
- libavformat58 - 7:4.1.3-0ubuntu1
- libavresample4 - 7:4.1.3-0ubuntu1
- libavutil56 - 7:4.1.3-0ubuntu1
- libpostproc55 - 7:4.1.3-0ubuntu1
- libswresample3 - 7:4.1.3-0ubuntu1
- libswscale5 - 7:4.1.3-0ubuntu1
- Ubuntu 18.10
- ffmpeg - 7:4.0.4-0ubuntu1
- libavcodec-extra58 - 7:4.0.4-0ubuntu1
- libavcodec58 - 7:4.0.4-0ubuntu1
- libavdevice58 - 7:4.0.4-0ubuntu1
- libavfilter-extra7 - 7:4.0.4-0ubuntu1
- libavfilter7 - 7:4.0.4-0ubuntu1
- libavformat58 - 7:4.0.4-0ubuntu1
- libavresample4 - 7:4.0.4-0ubuntu1
- libavutil56 - 7:4.0.4-0ubuntu1
- libpostproc55 - 7:4.0.4-0ubuntu1
- libswresample3 - 7:4.0.4-0ubuntu1
- libswscale5 - 7:4.0.4-0ubuntu1
- Ubuntu 18.04 LTS
- ffmpeg - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec-extra57 - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec57 - 7:3.4.6-0ubuntu0.18.04.1
- libavdevice57 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter-extra6 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter6 - 7:3.4.6-0ubuntu0.18.04.1
- libavformat57 - 7:3.4.6-0ubuntu0.18.04.1
- libavresample3 - 7:3.4.6-0ubuntu0.18.04.1
- libavutil55 - 7:3.4.6-0ubuntu0.18.04.1
- libpostproc54 - 7:3.4.6-0ubuntu0.18.04.1
- libswresample2 - 7:3.4.6-0ubuntu0.18.04.1
- libswscale4 - 7:3.4.6-0ubuntu0.18.04.1
ffmpeg (Ubuntu package): 7:4.0-1 - 7:4.1.1-1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU18321
Risk: Low
CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9721
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the subtitle decoder in handle_open_brace() function in libavcodec/htmlsubtitles.c when processing video files in Matroska format. A remote attacker can create a specially crafted video file, pass it to the affected application and consume all available CPU resources.
MitigationUpdate the affected packages.
- Ubuntu 19.04
- ffmpeg - 7:4.1.3-0ubuntu1
- libavcodec-extra58 - 7:4.1.3-0ubuntu1
- libavcodec58 - 7:4.1.3-0ubuntu1
- libavdevice58 - 7:4.1.3-0ubuntu1
- libavfilter-extra7 - 7:4.1.3-0ubuntu1
- libavfilter7 - 7:4.1.3-0ubuntu1
- libavformat58 - 7:4.1.3-0ubuntu1
- libavresample4 - 7:4.1.3-0ubuntu1
- libavutil56 - 7:4.1.3-0ubuntu1
- libpostproc55 - 7:4.1.3-0ubuntu1
- libswresample3 - 7:4.1.3-0ubuntu1
- libswscale5 - 7:4.1.3-0ubuntu1
- Ubuntu 18.10
- ffmpeg - 7:4.0.4-0ubuntu1
- libavcodec-extra58 - 7:4.0.4-0ubuntu1
- libavcodec58 - 7:4.0.4-0ubuntu1
- libavdevice58 - 7:4.0.4-0ubuntu1
- libavfilter-extra7 - 7:4.0.4-0ubuntu1
- libavfilter7 - 7:4.0.4-0ubuntu1
- libavformat58 - 7:4.0.4-0ubuntu1
- libavresample4 - 7:4.0.4-0ubuntu1
- libavutil56 - 7:4.0.4-0ubuntu1
- libpostproc55 - 7:4.0.4-0ubuntu1
- libswresample3 - 7:4.0.4-0ubuntu1
- libswscale5 - 7:4.0.4-0ubuntu1
- Ubuntu 18.04 LTS
- ffmpeg - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec-extra57 - 7:3.4.6-0ubuntu0.18.04.1
- libavcodec57 - 7:3.4.6-0ubuntu0.18.04.1
- libavdevice57 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter-extra6 - 7:3.4.6-0ubuntu0.18.04.1
- libavfilter6 - 7:3.4.6-0ubuntu0.18.04.1
- libavformat57 - 7:3.4.6-0ubuntu0.18.04.1
- libavresample3 - 7:3.4.6-0ubuntu0.18.04.1
- libavutil55 - 7:3.4.6-0ubuntu0.18.04.1
- libpostproc54 - 7:3.4.6-0ubuntu0.18.04.1
- libswresample2 - 7:3.4.6-0ubuntu0.18.04.1
- libswscale4 - 7:3.4.6-0ubuntu0.18.04.1
ffmpeg (Ubuntu package): 7:4.0-1 - 7:4.1.1-1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
