Your submission was sent successfully! Close

CVE-2015-1872

Published: 26 July 2015

The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Motion JPEG data.

Notes

AuthorNote
mdeslaur
as of 2016-03-11, doesn't look fixed in libav
ebarretto
as of 2018-09-27, the fix is only available in libav 0.8.x
the fix was not backported or applied to any other version
so considered ignored for trusty's version.
Priority

Low

Status

Package Release Status
gst-libav1.0
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Not vulnerable
(compiled with `--with-system-libav`)
cosmic Not vulnerable
(compiled with `--with-system-libav`)
disco Not vulnerable
(compiled with `--with-system-libav`)
eoan Not vulnerable
(compiled with `--with-system-libav`)
focal Not vulnerable
(compiled with `--with-system-libav`)
groovy Not vulnerable
(compiled with `--with-system-libav`)
hirsute Not vulnerable
(compiled with `--with-system-libav`)
impish Not vulnerable
(compiled with `--with-system-libav`)
jammy Not vulnerable
(compiled with `--with-system-libav`)
precise Does not exist

trusty Does not exist
(trusty was not-affected [compiled with `--with-system-libav`])
upstream Needed

vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Not vulnerable
(compiled with `--with-system-libav`)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Patches:
other: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037


gstreamer0.10-ffmpeg
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist
(precise was needed)
trusty Does not exist

upstream Needed

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:

other: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037

kino
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needed

precise Does not exist
(precise was needed)
trusty Does not exist
(trusty was needed)
upstream Needed

vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Ignored
(end of standard support, was needed)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Patches:


other: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037
libav
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist
(precise was released [4:0.8.17-0ubuntu0.12.04.2])
trusty Does not exist
(trusty was ignored)
upstream Needed

vivid Ignored
(reached end-of-life)
wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist