Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2015-1872

Published: 26 July 2015

The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Motion JPEG data.

Notes

AuthorNote
mdeslaur 
as of 2016-03-11, doesn't look fixed in libav
ebarretto 
as of 2018-09-27, the fix is only available in libav 0.8.x
the fix was not backported or applied to any other version
so considered ignored for trusty's version.

Priority

Low

Status

Package Release Status
gst-libav1.0
Launchpad, Ubuntu, Debian 		artful Ignored
(reached end-of-life)
bionic Not vulnerable
(compiled with `--with-system-libav`)
cosmic Not vulnerable
(compiled with `--with-system-libav`)
disco Not vulnerable
(compiled with `--with-system-libav`)
eoan Not vulnerable
(compiled with `--with-system-libav`)
focal Not vulnerable
(compiled with `--with-system-libav`)
groovy Not vulnerable
(compiled with `--with-system-libav`)
hirsute Not vulnerable
(compiled with `--with-system-libav`)
impish Not vulnerable
(compiled with `--with-system-libav`)
jammy Not vulnerable
(compiled with `--with-system-libav`)
kinetic Not vulnerable
(compiled with `--with-system-libav`)
lunar Not vulnerable
(compiled with `--with-system-libav`)
precise Does not exist

trusty Does not exist
(trusty was not-affected [compiled with `--with-system-libav`])
upstream Needed

vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Not vulnerable
(compiled with `--with-system-libav`)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Patches:
other: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037


gstreamer0.10-ffmpeg
Launchpad, Ubuntu, Debian 		artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

precise Ignored
(reached end-of-life)
trusty Does not exist

upstream Needed

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:

other: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037

kino
Launchpad, Ubuntu, Debian 		artful Ignored
(reached end-of-life)
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needed

kinetic Does not exist

lunar Does not exist

precise Ignored
(reached end-of-life)
trusty Does not exist
(trusty was needed)
upstream Needed

vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Needed

yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Patches:


other: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037
libav
Launchpad, Ubuntu, Debian 		artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

precise
Released (4:0.8.17-0ubuntu0.12.04.2)
trusty Ignored

upstream Needed

vivid Ignored
(reached end-of-life)
wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading