CVE-2019-13615
Published: 16 July 2019
libebml before 1.3.6, as used in the MKV module in VideoLAN VLC Media Player binaries before 3.0.3, has a heap-based buffer over-read in EbmlElement::FindNextElement.
Notes
Author | Note |
---|---|
mdeslaur | upstream ticket says this is actually an issue in libebml that was fixed in 1.3.6. marking priority as "low" since a heap-based buffer over-read will likely just result in a crash, not in code execution |
Priority
Status
Package | Release | Status |
---|---|---|
libebml Launchpad, Ubuntu, Debian |
upstream |
Released
(1.3.6)
|
bionic |
Released
(1.3.5-2ubuntu0.1)
|
|
cosmic |
Ignored
(end of life, was needed)
|
|
disco |
Not vulnerable
(1.3.6-2)
|
|
trusty |
Does not exist
|
|
xenial |
Released
(1.3.3-1ubuntu0.1)
|
|
Patches: upstream: https://github.com/Matroska-Org/libebml/commit/05beb69ba60acce09f73ed491bb76f332849c3a0.patch upstream: https://github.com/Matroska-Org/libebml/commit/ff0dc3cc21494578ce731f5d7dcde5fdec23d40f.patch upstream: https://github.com/Matroska-Org/libebml/commit/b66ca475be967547af9a3784e720fbbacd381be6.patch upstream: https://github.com/Matroska-Org/libebml/commit/534dfdb995edc18e528de8ce9fa20b3df88426ae.patch |
||
vlc Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
cosmic |
Not vulnerable
(code not present)
|
|
disco |
Not vulnerable
(code not present)
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(code not present)
|
|
trusty |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |