Bugzilla – Bug 1051859
VUL-1: CVE-2017-12143: libquicktime: Allocation failure in functionquicktime_read_info in lqt_quicktime.c, which allows attackers to cause DoS
Last modified: 2020-06-29 06:29:50 UTC
Created attachment 734935 [details] Reproducer CVE-2017-12143 In libquicktime 1.2.4, an allocation failure was found in the function quicktime_read_info in lqt_quicktime.c, which allows attackers to cause a denial of service via a crafted file. qtinfo allocation-failed-in_quicktime_read_info qtinfo lives in libquicktime-tools from OBS References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12143
I tested the latest libquicktime in SLE12SP2, openSUSE:Factory and openSUSE:Leap and it seems that we are not affected thanks to our recent security fix for multiple CVEs (patch libquicktime-<version>-multiple_vulnerabilities.patch for CVEs from CVE-2017-9122 to CVE-2017-9128). I haven't tested SLE11 but as we have the same multiple_vulnerabilities patch there I expect the same results. Test output for SLE12SP2: ------------------------- # zypper se -s libquicktime | grep ^i i+ | libquicktime-tools | package | 1.2.4-0 | x86_64 | (System Packages) i | libquicktime0 | package | 1.2.4-14.3.1 | x86_64 | SLES12-SP2-Updates # qtinfo allocation-failed-in_quicktime_read_info [core] Error: Opening failed (unsupported filetype) Couldn't open allocation-failed-in_quicktime_read_info --- I'm reassigning it back to the security-team.
already fixed by other cve fixes.