Infinite loop in ffmpeg (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-1999012 |
| CWE-ID | CWE-835 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ffmpeg (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Infinite loop
EUVDB-ID: #VU32007
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1999012
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially crafted PVA file has to be provided as input. This vulnerability appears to have been fixed in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 and later.
MitigationInstall update from vendor's website.
Vulnerable software versionsffmpeg (Alpine package): 4.1.3-r1
CPE2.3 External linkshttp://git.alpinelinux.org/aports/commit/?id=d8d38dabc6e30c901eb6bd6627d8337849d7c041
http://git.alpinelinux.org/aports/commit/?id=cf78a820406ae4481e937bc2fba252ff79c89a09
http://git.alpinelinux.org/aports/commit/?id=859fd99d06049c009c8b745626511cd681061a99
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
