Resource management error in FFmpeg and Libav - CVE-2012-0858
Published: August 20, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43705
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-0858
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ffmpeg.sourceforge.net
Libav
Libav
Affected software:
FFmpeg
Libav
FFmpeg
Libav
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The Shorten codec (shorten.c) in libavcodec in FFmpeg 0.7.x before 0.7.12 and 0.8.x before 0.8.11, and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.5, and 0.8.x before 0.8.1, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted Shorten file, related to an "invalid free".
How to mitigate CVE-2012-0858
Install update from vendor's website.
Sources
- http://ffmpeg.org/
- http://git.libav.org/?p=libav.git;a=commitdiff;h=204cb29b3c84a74cbcd059d353c70c8bdc567d98
- http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=204cb29b3c84a74cbcd059d353c70c8bdc567d98
- http://libav.org/
- http://www.openwall.com/lists/oss-security/2012/02/14/4
- http://www.ubuntu.com/usn/USN-1479-1