SB2020061634 - Use-after-free in ffmpeg (Alpine package)
Published: June 16, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use-after-free (CVE-ID: CVE-2020-13904)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in FFmpeg when processing a crafted EXTINF duration in an m3u8 file because parse_playlist in
libavformat/hls.c frees a pointer, and later that pointer is accessed in
av_probe_input_format3 in libavformat/format.c. A remote attacker can trick the victim to open a specially crafted media file or playlist, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=f3d13d27653687516adefe66adbfd239dee57f2e
- https://git.alpinelinux.org/aports/commit/?id=477aae6b2f690ba8a89cbd18587c96bb0ff40548
- https://git.alpinelinux.org/aports/commit/?id=228dc16f637162cbf1a241b4f1d71606ba5e8888
- https://git.alpinelinux.org/aports/commit/?id=a06541424702380d7a111b112c981b1e09910bae
- https://git.alpinelinux.org/aports/commit/?id=2a2f5de5a32743832ff7162605d6dfafe6fbd022