#VU42325 Buffer overflow in FFmpeg - CVE-2013-0868

Cybersecurity Help s.r.o.

Published: 2013-11-23 | Updated: 2020-08-10

Vulnerability identifier: #VU42325

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2013-0868

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FFmpeg
Universal components / Libraries / Libraries used by multiple products

Vendor: ffmpeg.sourceforge.net

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers to have an unspecified impact via crafted Huffyuv data, related to an out-of-bounds write and (1) unchecked return codes from the init_vlc function and (2) "len==0 cases."

Mitigation
Install update from vendor's website.

Vulnerable software versions

FFmpeg: 0.3 - 1.0

External links
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6baa54924980e1f0e8121e4715d16ed1adcd2a23
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=75e88db33013eaa7ab74457f5556df677b4ffb42
https://www.ffmpeg.org/security.html
https://security.gentoo.org/glsa/201603-06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler update for ffmpeg

Gentoo update for FFmpeg

Gentoo update for Libav

Multiple vulnerabilities in ffmpeg.sourceforge.net FFmpeg