ESB-2019.0065 - [Debian] libav: Multiple vulnerabilities 2019-01-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0065
                           libav security update
                              8 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libav
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1999010 CVE-2018-14394 CVE-2018-7557
                   CVE-2018-6621 CVE-2017-17130 CVE-2017-15672
                   CVE-2017-14767 CVE-2017-14171 CVE-2017-14170
                   CVE-2017-14057 CVE-2017-14056 CVE-2017-14055
                   CVE-2017-9994 CVE-2017-9993 

Reference:         ESB-2018.2075
                   ESB-2017.2147

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libav
Version        : 6:11.12-1~deb8u4
CVE ID         : CVE-2017-9993 CVE-2017-9994 CVE-2017-14055
                 CVE-2017-14056 CVE-2017-14057 CVE-2017-14170
                 CVE-2017-14171 CVE-2017-14767 CVE-2017-15672
                 CVE-2017-17130 CVE-2018-6621 CVE-2018-7557
                 CVE-2018-14394 CVE-2018-1999010

Several security vulnerabilities were corrected in the libav
multimedia library which may lead to a denial-of-service, information
disclosure or the execution of arbitrary code if a malformed file is
processed.


CVE-2017-9993

    Libav does not properly restrict HTTP Live Streaming filename
    extensions and demuxer names, which allows attackers to read
    arbitrary files via crafted playlist data.

CVE-2017-9994

    libavcodec/webp.c in Libav does not ensure that pix_fmt is set,
    which allows remote attackers to cause a denial of service
    (heap-based buffer overflow and application crash) or possibly have
    unspecified other impact via a crafted file, related to the
    vp8_decode_mb_row_no_filter and pred8x8_128_dc_8_c functions.

CVE-2017-14055

    Denial-of-service in mv_read_header() due to lack of an EOF (End of
    File) check might cause huge CPU and memory consumption.

CVE-2017-14056

    Denial-of-service in rl2_read_header() due to lack of an EOF
    (End of File) check might cause huge CPU and memory consumption.

CVE-2017-14057

    Denial-of-service in asf_read_marker() due to lack of an EOF
   (End of File) check might cause huge CPU and memory consumption.

CVE-2017-14170

    Denial-of-service in mxf_read_index_entry_array() due to lack of an
    EOF (End of File) check might cause huge CPU consumption.

CVE-2017-14171

    Denial-of-service in nsv_parse_NSVf_header() due to lack of an EOF
   (End of File) check might cause huge CPU consumption.

CVE-2017-14767

    The sdp_parse_fmtp_config_h264 function in
    libavformat/rtpdec_h264.c mishandles empty sprop-parameter-sets
    values, which allows remote attackers to cause a denial of service
    (heap buffer overflow) or possibly have unspecified other impact via
    a crafted sdp file.

CVE-2017-15672

    The read_header function in libavcodec/ffv1dec.c allows remote
    attackers to have unspecified impact via a crafted MP4 file, which
    triggers an out-of-bounds read.

CVE-2017-17130

    The ff_free_picture_tables function in libavcodec/mpegpicture.c
    allows remote attackers to cause a denial of service
    (heap-based buffer overflow and application crash) or possibly have
    unspecified other impact via a crafted file, related to
    vc1_decode_i_blocks_adv.

CVE-2018-6621

    The decode_frame function in libavcodec/utvideodec.c in Libav allows
    remote attackers to cause a denial of service (out of array read)
    via a crafted AVI file.

CVE-2018-7557

    The decode_init function in libavcodec/utvideodec.c in
    Libav allows remote attackers to cause a denial of service
    (Out of array read) via an AVI file with crafted dimensions within
    chroma subsampling data.

CVE-2018-14394

    libavformat/movenc.c in Libav allows attackers to cause a
    denial of service (application crash caused by a divide-by-zero
    error) with a user crafted Waveform audio file.

CVE-2018-1999010

    Libav contains multiple out of array access vulnerabilities in the
    mms protocol that can result in attackers accessing out of bound
    data.

For Debian 8 "Jessie", these problems have been fixed in version
6:11.12-1~deb8u4.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlwz1AhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRByBAAtiPdhTU2Hz6e/IhRiKtZhh9x8V5RuFjm/NfcITfWA2v6RKtXaXuHV718
HKHYPag2+aDTPsqpnWwqjnCGL5WhPA52HV8VMy/c7RYgUf6rAPMzYgILcL4yOrEc
210QhstW0vnEvvNnDsxy+xYunPYXU0FVR7/q6utAuSURT1Orkul+a9oB+jkklfMp
jThdxHCiyb4KEvsuze1yGZ7fgKkzS9XDkp+3xKhV+UxNaK0V4JBigWQVGy20x3B5
Czhx15zMhH85ZMat2WppSFGNfuqX3QwZP0q0ePRsUeOdMFG/yFYmHzYRB/56/RHs
h0OQcBIHe6Yp0C1Xw8ZnRcRM1h2Ie62cY1HHAHqRkEJDKn1FTLacOHwz36YR+lb5
LqaN0b588WtiwyoTKWF97MPiQBXC2KhpJ/gYcbGLGlbTja4cJ5A7tUc1nW6MpyGG
ydyBDPEi8Taq+fgeX/Ula/8y/krNE14yauJZ4/gxSR3eSEfxtX4alBvlQktecMnr
j7bbyiMWcNyLy2lasXy1ZFz2wUqNpXjvIPxUMwD4NsUmlvnbX0/+Yisb4brMukji
kl35KtNIOKs0FeXZjKQb5k4SAij2edAEz9M+MTV0Hk5bcXVguRj7dLuNHne1RIhj
uuvPUHGFGuJ3jwIfJtH5lgL/gtdZyI8ZNwCYIC1exsDjZYz6Kpg=
=LBVu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXDPnomaOgq3Tt24GAQgwtg/+JX7kCtiEV5cLHCKOVJTeNssz656cx15O
YgzKaqeFCsSpn5Ba9HW7WAOpTBnscl3B1y7aTUfj8yXXc4NxZQO8y+khusSr8cLI
eSZgoNeMifazizr5Yfg4l2nhnX3uGPt45tQH+qsXC/bgdBgNCsEoTLHDiG5wxyOx
X2ytudsPsHSl0r5LrhYnz3Uj1BdQOGgoTm88oJ1TNhBjoHWroguHTrfo6jPK1nX7
9gyC8AsH36aC425ap1hSzFs9q/TIojBCJp0iLwkfvd6vtjh8H3gRjHjPEh97giAQ
taxpVPxncOxqKCl0qOoDLoIMr3WXnfgYTLZsfljYVeo9o2YP5WiDx9f6FxAEfviV
m/VaAU6ys3IG41pfrzM+zsvAq5kfbRQr5Xjxlv4Q9xJ2EmV1zzPeXCDwHdRDdLMO
HgHzUfWShOoN5qLEmMhfLS0R3yDWimdoVX0yqPlEdds9kwKTs+HWuB1mYHCg94Vd
6lafiYhm5xaIDkaOrjp7X61TYfKm+1JWnME/CBbF6erw7fZBmvZsAuatcsPUN41O
GZRMFsExJTE6NkdiYhV/n1MTvNF1NkrjuitMFqAcFnHp1nOZ8Tom8LHkLlDhOMPX
zyHry4wcAkj5kIvqfBTNEx7LKgVJ1dJ31swLlJK1VbqG0Rth7a2iNKR7/UFaHwwS
xy0A/1p5S5s=
=JQIP
-----END PGP SIGNATURE-----

« Back to bulletins