CLD-457 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-13302 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) ffmpeg
Deficiency Type SECURITY
Date Created 2018-07-05 16:19:20
Date Last Modified 2018-07-18 11:27:49

Version Specific Information:

Cucumber 1.0 i686 vulnerable
Cucumber 1.0 x86_64 vulnerable

Cucumber 1.1 i686 vulnerable
Cucumber 1.1 x86_64 vulnerable

Details:

================================= Our Analysis =================================

----- Affected Products -----
Versions of ffmpeg 3.3.x up to and including 3.3.7 are vulnerable, unless they
have had the patch from
https://github.com/FFmpeg/FFmpeg/commit/ed22dc22216f74c75ee7901f82649e1ff725ba50
applied. As of this writing (Wed Jul 18 11:29:04 EDT 2018), 3.3.7 is the latest
version of ffmpeg 3.3.x; it is unknown if future versions will be affected.

Ffmpeg as originally packaged in Cucumber Linux 1.0 and 1.1 is vulnerable.

----- Scope and Impact of this Vulnerability -----
Allowed for a denial of service (application crash) or possibly other
unspecified impacts while converting a specially crafted AVI file to MPEG4.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://github.com/FFmpeg/FFmpeg/commit/ed22dc22216f74c75ee7901f82649e1ff725ba50.

================================= Our Solution =================================

We are in the process of applying the aforementioned patch and rebuilding.