Security update for ffmpeg SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1531-1 Final 1 1 2017-06-11T09:31:47Z current 2017-06-11T09:31:47Z 2017-06-11T09:31:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ffmpeg This update of ffmpeg to version 3.1.8 fixes the following security issues: - CVE-2016-9561: DoS through huge memory allocation (bsc#1015120) - CVE-2016-10191: remote code execution vulnerability (bsc#1022921) - CVE-2016-10192: remote code execution vulnerability (bsc#1022922) - CVE-2017-5024: Heap overflow - CVE-2017-5025: Heap overflow The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-673 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1015120 SUSE Bug 1015120 https://bugzilla.suse.com/1022921 SUSE Bug 1022921 https://bugzilla.suse.com/1022922 SUSE Bug 1022922 https://www.suse.com/security/cve/CVE-2016-10191/ SUSE CVE CVE-2016-10191 page https://www.suse.com/security/cve/CVE-2016-10192/ SUSE CVE CVE-2016-10192 page https://www.suse.com/security/cve/CVE-2016-9561/ SUSE CVE CVE-2016-9561 page https://www.suse.com/security/cve/CVE-2017-5024/ SUSE CVE CVE-2017-5024 page https://www.suse.com/security/cve/CVE-2017-5025/ SUSE CVE CVE-2017-5025 page SUSE Package Hub 12 SP2 ffmpeg-3.1.8-8.1 libavcodec-devel-3.1.8-8.1 libavcodec57-3.1.8-8.1 libavdevice-devel-3.1.8-8.1 libavdevice57-3.1.8-8.1 libavfilter-devel-3.1.8-8.1 libavfilter6-3.1.8-8.1 libavformat-devel-3.1.8-8.1 libavformat57-3.1.8-8.1 libavresample-devel-3.1.8-8.1 libavresample3-3.1.8-8.1 libavutil-devel-3.1.8-8.1 libavutil55-3.1.8-8.1 libpostproc-devel-3.1.8-8.1 libpostproc54-3.1.8-8.1 libswresample-devel-3.1.8-8.1 libswresample2-3.1.8-8.1 libswscale-devel-3.1.8-8.1 libswscale4-3.1.8-8.1 ffmpeg-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavcodec-devel-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavcodec57-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavdevice-devel-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavdevice57-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavfilter-devel-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavfilter6-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavformat-devel-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavformat57-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavresample-devel-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavresample3-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavutil-devel-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libavutil55-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libpostproc-devel-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libpostproc54-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libswresample-devel-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libswresample2-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libswscale-devel-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 libswscale4-3.1.8-8.1 as a component of SUSE Package Hub 12 SP2 Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches. CVE-2016-10191 SUSE Package Hub 12 SP2:ffmpeg-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter6-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample3-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil55-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc54-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample2-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale4-3.1.8-8.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10191.html CVE-2016-10191 https://bugzilla.suse.com/1022921 SUSE Bug 1022921 Heap-based buffer overflow in ffserver.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check chunk size. CVE-2016-10192 SUSE Package Hub 12 SP2:ffmpeg-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter6-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample3-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil55-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc54-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample2-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale4-3.1.8-8.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10192.html CVE-2016-10192 https://bugzilla.suse.com/1022922 SUSE Bug 1022922 The che_configure function in libavcodec/aacdec_template.c in FFmpeg before 3.2.1 allows remote attackers to cause a denial of service (allocation of huge memory, and being killed by the OS) via a crafted MOV file. CVE-2016-9561 SUSE Package Hub 12 SP2:ffmpeg-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter6-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample3-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil55-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc54-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample2-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale4-3.1.8-8.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9561.html CVE-2016-9561 https://bugzilla.suse.com/1015120 SUSE Bug 1015120 FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted video file. CVE-2017-5024 SUSE Package Hub 12 SP2:ffmpeg-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter6-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample3-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil55-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc54-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample2-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale4-3.1.8-8.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5024.html CVE-2017-5024 https://bugzilla.suse.com/1022049 SUSE Bug 1022049 FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted video file. CVE-2017-5025 SUSE Package Hub 12 SP2:ffmpeg-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavcodec57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavdevice57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavfilter6-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavformat57-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavresample3-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libavutil55-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libpostproc54-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswresample2-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale-devel-3.1.8-8.1 SUSE Package Hub 12 SP2:libswscale4-3.1.8-8.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5025.html CVE-2017-5025 https://bugzilla.suse.com/1022049 SUSE Bug 1022049