Heap-based buffer overflow in ffmpeg (Alpine package)
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-17542 |
| CWE-ID | CWE-122 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
ffmpeg (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Heap-based buffer overflow
EUVDB-ID: #VU29634
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-17542
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the vqa_decode_chunk because of an out-of-array access in vqa_decode_init in libavcodec/vqavideo.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsffmpeg (Alpine package): 4.0.4-r0
CPE2.3 External linkshttps://git.alpinelinux.org/aports/commit/?id=228dc16f637162cbf1a241b4f1d71606ba5e8888
https://git.alpinelinux.org/aports/commit/?id=de8ecbcf01a07a78b3ef9f8970573d6e77803cd0
https://git.alpinelinux.org/aports/commit/?id=c0e9c2726f23f0410b383f030c4e2c8ab6b5090f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
