Security update for ffmpeg SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1532-1 Final 1 1 2017-06-11T09:31:21Z current 2017-06-11T09:31:21Z 2017-06-11T09:31:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ffmpeg ffmpeg was updated to fix the following security issues: CVE-2016-10191: remote exploitaion results code execution ((bsc#1022921) CVE-2016-10192: remote exploitaion results code execution bsc#1022922) CVE-2017-7866: stack-based buffer overflow (bsc#1034176) CVE-2017-7865: heap-based buffer overflow (bsc#1034177) CVE-2017-7863: heap-based buffer overflow (bsc#1034179) CVE-2016-9561: Huge amount memory allocated, resulting in DoS (bsc#1015120) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-672 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1015120 SUSE Bug 1015120 https://bugzilla.suse.com/1022921 SUSE Bug 1022921 https://bugzilla.suse.com/1022922 SUSE Bug 1022922 https://bugzilla.suse.com/1034176 SUSE Bug 1034176 https://bugzilla.suse.com/1034177 SUSE Bug 1034177 https://bugzilla.suse.com/1034179 SUSE Bug 1034179 https://bugzilla.suse.com/980542 SUSE Bug 980542 https://www.suse.com/security/cve/CVE-2016-10191/ SUSE CVE CVE-2016-10191 page https://www.suse.com/security/cve/CVE-2016-10192/ SUSE CVE CVE-2016-10192 page https://www.suse.com/security/cve/CVE-2016-9561/ SUSE CVE CVE-2016-9561 page https://www.suse.com/security/cve/CVE-2017-7863/ SUSE CVE CVE-2017-7863 page https://www.suse.com/security/cve/CVE-2017-7865/ SUSE CVE CVE-2017-7865 page https://www.suse.com/security/cve/CVE-2017-7866/ SUSE CVE CVE-2017-7866 page SUSE Package Hub 12 SP1 ffmpeg2-devel-2.8.11-12.1 libavcodec56-2.8.11-12.1 libavdevice56-2.8.11-12.1 libavfilter5-2.8.11-12.1 libavformat56-2.8.11-12.1 libavresample2-2.8.11-12.1 libavutil54-2.8.11-12.1 libpostproc53-2.8.11-12.1 libswresample1-2.8.11-12.1 libswscale3-2.8.11-12.1 ffmpeg2-devel-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 libavcodec56-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 libavdevice56-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 libavfilter5-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 libavformat56-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 libavresample2-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 libavutil54-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 libpostproc53-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 libswresample1-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 libswscale3-2.8.11-12.1 as a component of SUSE Package Hub 12 SP1 Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches. CVE-2016-10191 SUSE Package Hub 12 SP1:ffmpeg2-devel-2.8.11-12.1 SUSE Package Hub 12 SP1:libavcodec56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavdevice56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavfilter5-2.8.11-12.1 SUSE Package Hub 12 SP1:libavformat56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavresample2-2.8.11-12.1 SUSE Package Hub 12 SP1:libavutil54-2.8.11-12.1 SUSE Package Hub 12 SP1:libpostproc53-2.8.11-12.1 SUSE Package Hub 12 SP1:libswresample1-2.8.11-12.1 SUSE Package Hub 12 SP1:libswscale3-2.8.11-12.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10191.html CVE-2016-10191 https://bugzilla.suse.com/1022921 SUSE Bug 1022921 Heap-based buffer overflow in ffserver.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check chunk size. CVE-2016-10192 SUSE Package Hub 12 SP1:ffmpeg2-devel-2.8.11-12.1 SUSE Package Hub 12 SP1:libavcodec56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavdevice56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavfilter5-2.8.11-12.1 SUSE Package Hub 12 SP1:libavformat56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavresample2-2.8.11-12.1 SUSE Package Hub 12 SP1:libavutil54-2.8.11-12.1 SUSE Package Hub 12 SP1:libpostproc53-2.8.11-12.1 SUSE Package Hub 12 SP1:libswresample1-2.8.11-12.1 SUSE Package Hub 12 SP1:libswscale3-2.8.11-12.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10192.html CVE-2016-10192 https://bugzilla.suse.com/1022922 SUSE Bug 1022922 The che_configure function in libavcodec/aacdec_template.c in FFmpeg before 3.2.1 allows remote attackers to cause a denial of service (allocation of huge memory, and being killed by the OS) via a crafted MOV file. CVE-2016-9561 SUSE Package Hub 12 SP1:ffmpeg2-devel-2.8.11-12.1 SUSE Package Hub 12 SP1:libavcodec56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavdevice56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavfilter5-2.8.11-12.1 SUSE Package Hub 12 SP1:libavformat56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavresample2-2.8.11-12.1 SUSE Package Hub 12 SP1:libavutil54-2.8.11-12.1 SUSE Package Hub 12 SP1:libpostproc53-2.8.11-12.1 SUSE Package Hub 12 SP1:libswresample1-2.8.11-12.1 SUSE Package Hub 12 SP1:libswscale3-2.8.11-12.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9561.html CVE-2016-9561 https://bugzilla.suse.com/1015120 SUSE Bug 1015120 FFmpeg before 2017-02-04 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c. CVE-2017-7863 SUSE Package Hub 12 SP1:ffmpeg2-devel-2.8.11-12.1 SUSE Package Hub 12 SP1:libavcodec56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavdevice56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavfilter5-2.8.11-12.1 SUSE Package Hub 12 SP1:libavformat56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavresample2-2.8.11-12.1 SUSE Package Hub 12 SP1:libavutil54-2.8.11-12.1 SUSE Package Hub 12 SP1:libpostproc53-2.8.11-12.1 SUSE Package Hub 12 SP1:libswresample1-2.8.11-12.1 SUSE Package Hub 12 SP1:libswscale3-2.8.11-12.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7863.html CVE-2017-7863 https://bugzilla.suse.com/1034179 SUSE Bug 1034179 FFmpeg before 2017-01-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c. CVE-2017-7865 SUSE Package Hub 12 SP1:ffmpeg2-devel-2.8.11-12.1 SUSE Package Hub 12 SP1:libavcodec56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavdevice56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavfilter5-2.8.11-12.1 SUSE Package Hub 12 SP1:libavformat56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavresample2-2.8.11-12.1 SUSE Package Hub 12 SP1:libavutil54-2.8.11-12.1 SUSE Package Hub 12 SP1:libpostproc53-2.8.11-12.1 SUSE Package Hub 12 SP1:libswresample1-2.8.11-12.1 SUSE Package Hub 12 SP1:libswscale3-2.8.11-12.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7865.html CVE-2017-7865 https://bugzilla.suse.com/1034177 SUSE Bug 1034177 FFmpeg before 2017-01-23 has an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c. CVE-2017-7866 SUSE Package Hub 12 SP1:ffmpeg2-devel-2.8.11-12.1 SUSE Package Hub 12 SP1:libavcodec56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavdevice56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavfilter5-2.8.11-12.1 SUSE Package Hub 12 SP1:libavformat56-2.8.11-12.1 SUSE Package Hub 12 SP1:libavresample2-2.8.11-12.1 SUSE Package Hub 12 SP1:libavutil54-2.8.11-12.1 SUSE Package Hub 12 SP1:libpostproc53-2.8.11-12.1 SUSE Package Hub 12 SP1:libswresample1-2.8.11-12.1 SUSE Package Hub 12 SP1:libswscale3-2.8.11-12.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7866.html CVE-2017-7866 https://bugzilla.suse.com/1034176 SUSE Bug 1034176