Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. These issues could lead to Denial-of-Service and, in some situation, the execution of arbitrary code. CVE-2017-9608 Yihan Lian of Qihoo 360 GearTeam discovered a NULL pointer access when parsing a crafted MOV file. CVE-2017-9993 Thierry Foucu discovered that it was possible to leak information from files and symlinks ending in common multimedia extensions, using the HTTP Live Streaming. CVE-2017-11399 Liu Bingchang of IIE discovered an integer overflow in the APE decoder that can be triggered by a crafted APE file. CVE-2017-11665 JunDong Xie of Ant-financial Light-Year Security Lab discovered that an attacker able to craft a RTMP stream can crash FFmpeg. CVE-2017-11719 Liu Bingchang of IIE discovered an out-of-bound access that can be triggered by a crafted DNxHD file. For the stable distribution (stretch), these problems have been fixed in version 7:3.2.7-1~deb9u1. We recommend that you upgrade your ffmpeg packages.
Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. These issues could lead to Denial-of-Service and, in some situation, the execution of arbitrary code.
Yihan Lian of Qihoo 360 GearTeam discovered a NULL pointer access when parsing a crafted MOV file.
Thierry Foucu discovered that it was possible to leak information from files and symlinks ending in common multimedia extensions, using the HTTP Live Streaming.
Liu Bingchang of IIE discovered an integer overflow in the APE decoder that can be triggered by a crafted APE file.
JunDong Xie of Ant-financial Light-Year Security Lab discovered that an attacker able to craft a RTMP stream can crash FFmpeg.
Liu Bingchang of IIE discovered an out-of-bound access that can be triggered by a crafted DNxHD file.
For the stable distribution (stretch), these problems have been fixed in version 7:3.2.7-1~deb9u1.
We recommend that you upgrade your ffmpeg packages.