Bug 1049095 (CVE-2017-11399) - VUL-0: CVE-2017-11399: FFMpeg: Integer overflow in the ape_decode_frame function in libavcodec/apedec.c inFFmpeg through 3.3.2 allows remote attackers to cause a denial of service (out-of-array acces)
Summary: VUL-0: CVE-2017-11399: FFMpeg: Integer overflow in the ape_decode_frame funct...
Status: RESOLVED FIXED
Alias: CVE-2017-11399
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Jan Engelhardt
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/188627/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-18 07:51 UTC by Victor Pereira
Modified: 2024-04-22 17:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-07-18 07:51:48 UTC 
CVE-2017-11399

Integer overflow in the ape_decode_frame function in libavcodec/apedec.c in
FFmpeg through 3.3.2 allows remote attackers to cause a denial of service
(out-of-array access and application crash) or possibly have unspecified other
impact via a crafted APE file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11399
https://github.com/FFmpeg/FFmpeg/commit/ba4beaf6149f7241c8bd85fe853318c2f6837ad0
Comment 1 Bernhard Wiedemann 2017-07-18 16:00:25 UTC 
This is an autogenerated message for OBS integration:
This bug (1049095) was mentioned in
https://build.opensuse.org/request/show/511228 Factory / ffmpeg
Comment 2 Jan Engelhardt 2017-07-19 08:21:49 UTC 
APE is not build-enabled.
Comment 3 Swamp Workflow Management 2017-09-15 22:10:28 UTC 
openSUSE-SU-2017:2501-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1041794,1046211,1049095,1056760,1056761,1056762,1056763,1056765,1056766,1057536,1057537,1057539,1058018,1058019,1058020
CVE References: CVE-2017-11399,CVE-2017-14054,CVE-2017-14055,CVE-2017-14056,CVE-2017-14057,CVE-2017-14058,CVE-2017-14059,CVE-2017-14169,CVE-2017-14170,CVE-2017-14171,CVE-2017-14222,CVE-2017-14223,CVE-2017-14225
Sources used:
openSUSE Leap 42.2 (src):    ffmpeg-3.3.4-6.16.1, ffmpeg2-2.8.13-25.10.1, lame-3.99.5-2.1, twolame-0.3.13-2.1
Comment 4 Swamp Workflow Management 2017-09-15 22:14:07 UTC 
openSUSE-SU-2017:2502-1: An update that solves 20 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1015120,1022920,1022921,1022922,1034176,1034177,1034179,1046211,1049095,1056760,1056761,1056762,1056763,1056765,1056766,1057536,1057537,1057539,1058018,1058019,1058020
CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-11399,CVE-2017-14054,CVE-2017-14055,CVE-2017-14056,CVE-2017-14057,CVE-2017-14058,CVE-2017-14059,CVE-2017-14169,CVE-2017-14170,CVE-2017-14171,CVE-2017-14222,CVE-2017-14223,CVE-2017-14225,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
openSUSE Leap 42.3 (src):    ffmpeg-3.3.4-7.1, ffmpeg2-2.8.13-32.1, lame-3.99.5-2.1, twolame-0.3.13-2.1
Comment 5 Swamp Workflow Management 2018-07-18 14:41:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1049095) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq
Comment 7 OBSbugzilla Bot 2024-04-22 14:25:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1049095) was mentioned in
https://build.opensuse.org/request/show/1169676 Backports:SLE-15-SP5 / ffmpeg-4
Comment 8 OBSbugzilla Bot 2024-04-22 17:15:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1049095) was mentioned in
https://build.opensuse.org/request/show/1169721 Backports:SLE-15-SP5 / ffmpeg-4