Bug 957115 (CVE-2015-8364) - VUL-0: CVE-2015-8364: libav, ffmpeg: Check image dimensions / integer overflow
Summary: VUL-0: CVE-2015-8364: libav, ffmpeg: Check image dimensions / integer overflow
Status: RESOLVED FIXED
Alias: CVE-2015-8364
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: unspecified
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-30 10:18 UTC by Alexander Bergmann
Modified: 2018-07-18 14:43 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2015-11-30 10:18:20 UTC 
CVE-2015-8364

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=df91aa034b82b77a3c4e01791f4a2b2ff6c82066

avcodec/ivi: Check image dimensions

Fixes integer overflow
Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

References:
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8364.html
Comment 1 Stanislav Brabec 2015-11-30 15:23:54 UTC 
Jan, Martin: Could you take this bug and apply these patches or upgrade to a unaffected version?
Comment 2 Swamp Workflow Management 2015-11-30 23:01:03 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2015-12-07 13:00:13 UTC 
This is an autogenerated message for OBS integration:
This bug (957115) was mentioned in
https://build.opensuse.org/request/show/347766 Factory / ffmpeg
Comment 4 Bernhard Wiedemann 2015-12-09 09:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (957115) was mentioned in
https://build.opensuse.org/request/show/348011 Factory / ffmpeg
Comment 5 Bernhard Wiedemann 2015-12-18 20:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (957115) was mentioned in
https://build.opensuse.org/request/show/349562 42.1 / ffmpeg
Comment 6 Andreas Stieger 2015-12-19 17:14:48 UTC 
thanks Jan, update is running
Comment 7 Andreas Stieger 2015-12-26 20:52:47 UTC 
Releasing openSUSE Leap 42.1 Update
Comment 8 Andreas Stieger 2015-12-26 20:53:01 UTC 
Releasing openSUSE Leap 42.1 Update
Comment 9 Swamp Workflow Management 2015-12-27 00:12:17 UTC 
openSUSE-SU-2015:2370-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 957114,957115,957116
CVE References: CVE-2015-8363,CVE-2015-8364,CVE-2015-8365
Sources used:
openSUSE Leap 42.1 (src):    ffmpeg-2.8.3-6.1
Comment 10 Swamp Workflow Management 2018-07-18 14:43:26 UTC 
This is an autogenerated message for OBS integration:
This bug (957115) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq