Infinite loop in FFmpeg

#VU32007 Infinite loop in FFmpeg

Published: 2018-07-23 | Updated: 2020-07-28

Vulnerability identifier: #VU32007

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1999012

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FFmpeg
Universal components / Libraries / Libraries used by multiple products

Vendor: ffmpeg.sourceforge.net

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially crafted PVA file has to be provided as input. This vulnerability appears to have been fixed in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 and later.

Mitigation
Install update from vendor's website.

Vulnerable software versions

FFmpeg: 0.29

External links
http://www.securityfocus.com/bid/104896
http://github.com/FFmpeg/FFmpeg/commit/9807d3976be0e92e4ece3b4b1701be894cd7c2e1
http://lists.debian.org/debian-lts-announce/2019/03/msg00041.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Infinite loop in ffmpeg (Alpine package)

Infinite loop in ffmpeg.sourceforge.net FFmpeg