Your submission was sent successfully! Close

CVE-2018-1999011

Published: 23 July 2018

FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provided as input to FFmpeg. This vulnerability appears to have been fixed in 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 and later.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
chromium-browser
Launchpad, Ubuntu, Debian
Upstream
Released
Ubuntu 21.10 (Impish Indri) Ignored

Ubuntu 21.04 (Hirsute Hippo) Ignored

Ubuntu 20.04 LTS (Focal Fossa) Ignored

Ubuntu 18.04 LTS (Bionic Beaver) Ignored

Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [no longer updated])
ffmpeg
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Not vulnerable
(7:4.1-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(7:4.1-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(7:4.1-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(7:3.4.4-0ubuntu0.18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/FFmpeg/FFmpeg/commit/2b46ebdbff1d8dec7a3d8ea280a612b91a582869
gst-libav1.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
oxide-qt
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(Ubuntu touch end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [Ubuntu touch end-of-life])
qtwebengine-opensource-src
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

vlc
Launchpad, Ubuntu, Debian
Upstream Not vulnerable
(code not present)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(code not present)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code not present)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code not present)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [code not present])

Notes

AuthorNote
mdeslaur
marking chromium-browser as ignored, since we do full-version
updates, and rely on upstream's bundled ffmpeg version
ebarretto
According to upstream FFmpeg:
Code does not exist in 2.8

References