Debian Security Advisory
DSA-3957-1 ffmpeg -- security update
- Date Reported:
- 28 Aug 2017
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2017-9608, CVE-2017-9993, CVE-2017-11399, CVE-2017-11665, CVE-2017-11719.
- More information:
Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. These issues could lead to Denial-of-Service and, in some situation, the execution of arbitrary code.
Yihan Lian of Qihoo 360 GearTeam discovered a NULL pointer access when parsing a crafted MOV file.
Thierry Foucu discovered that it was possible to leak information from files and symlinks ending in common multimedia extensions, using the HTTP Live Streaming.
Liu Bingchang of IIE discovered an integer overflow in the APE decoder that can be triggered by a crafted APE file.
JunDong Xie of Ant-financial Light-Year Security Lab discovered that an attacker able to craft a RTMP stream can crash FFmpeg.
Liu Bingchang of IIE discovered an out-of-bound access that can be triggered by a crafted DNxHD file.
For the stable distribution (stretch), these problems have been fixed in version 7:3.2.7-1~deb9u1.
We recommend that you upgrade your ffmpeg packages.