Assertion violation in ffmpeg (Alpine package)



Published: 2018-04-21
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-12458
CWE-ID CWE-617
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		ffmpeg (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Assertion violation

EUVDB-ID: #VU14017

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12458

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper integer type in the mpeg4_encode_gop_header function in libavcodec/mpeg4videoenc.c. A remote attacker can supply specially crafted AVI file to MPEG4, trick the victim into converting it, trigger assertion violation and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ffmpeg (Alpine package): 3.4.2-r2 - 3.4.2-r3

CPE2.3 External links

http://git.alpinelinux.org/aports/commit/?id=d8d38dabc6e30c901eb6bd6627d8337849d7c041
http://git.alpinelinux.org/aports/commit/?id=cf78a820406ae4481e937bc2fba252ff79c89a09
http://git.alpinelinux.org/aports/commit/?id=859fd99d06049c009c8b745626511cd681061a99
http://git.alpinelinux.org/aports/commit/?id=244b8239305a7fb24f4d98be5abb84bda770afe7
http://git.alpinelinux.org/aports/commit/?id=2a92300f12bdc3ed7fc960459e6b5a37868da059
http://git.alpinelinux.org/aports/commit/?id=67e1fa48160c4e435007390d685bdfacd84ea1f0


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###