Bug 1072366 (CVE-2017-17555) - VUL-1: CVE-2017-17555: ffmpeg: The swri_audio_convert function allows remote attackers to cause a DoS
Summary: VUL-1: CVE-2017-17555: ffmpeg: The swri_audio_convert function allows remote ...
Status: RESOLVED FIXED
Alias: CVE-2017-17555
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 42.3
Hardware: Other openSUSE Factory
: P4 - Low : Normal (vote)
Target Milestone: ---
Assignee: Jan Engelhardt
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/196470/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-12 10:59 UTC by Johannes Segitz
Modified: 2024-04-22 17:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-12-12 10:59:24 UTC 
CVE-2017-17555

The swri_audio_convert function in audioconvert.c in FFmpeg libswresample
through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6, and other products,
allows remote attackers to cause a denial of service (NULL pointer dereference
and application crash) via a crafted audio file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17555
https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference%28DoS%29%20Vulnerability%20was%20found%20in%20function%20swri_audio_convert%20of%20ffmpeg%20libswresample.md
Comment 1 Swamp Workflow Management 2018-02-12 13:50:23 UTC 
This is an autogenerated message for OBS integration:
This bug (1072366) was mentioned in
https://build.opensuse.org/request/show/575779 42.3 / ffmpeg
Comment 2 Johannes Segitz 2018-02-14 07:32:02 UTC 
what information do you need?
Comment 3 Jan Engelhardt 2018-02-14 09:09:24 UTC 
Oh. I had originally set it to ask for where the bug actually is, but then found out myself.
Comment 4 Swamp Workflow Management 2018-02-19 14:10:40 UTC 
openSUSE-SU-2018:0470-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1064577,1066428,1069407,1070762,1072366,1078488,1079368
CVE References: CVE-2017-15186,CVE-2017-15672,CVE-2017-16840,CVE-2017-17081,CVE-2017-17555,CVE-2018-6392,CVE-2018-6621
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ffmpeg-3.4.2-14.1
Comment 5 Swamp Workflow Management 2018-02-19 14:16:14 UTC 
openSUSE-SU-2018:0476-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1064577,1066428,1069407,1070762,1072366,1078488,1079368
CVE References: CVE-2017-15186,CVE-2017-15672,CVE-2017-16840,CVE-2017-17081,CVE-2017-17555,CVE-2018-6392,CVE-2018-6621
Sources used:
openSUSE Leap 42.3 (src):    ffmpeg-3.4.2-10.1
Comment 8 Jan Engelhardt 2018-03-08 01:05:58 UTC 
.
Comment 9 Swamp Workflow Management 2018-07-18 14:42:24 UTC 
This is an autogenerated message for OBS integration:
This bug (1072366) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq
Comment 13 OBSbugzilla Bot 2024-04-22 14:25:28 UTC 
This is an autogenerated message for OBS integration:
This bug (1072366) was mentioned in
https://build.opensuse.org/request/show/1169676 Backports:SLE-15-SP5 / ffmpeg-4
Comment 14 OBSbugzilla Bot 2024-04-22 17:15:27 UTC 
This is an autogenerated message for OBS integration:
This bug (1072366) was mentioned in
https://build.opensuse.org/request/show/1169721 Backports:SLE-15-SP5 / ffmpeg-4