| Errata ID | 114 |
|---|---|
| Date | 2019-05-29 |
| Source package | ffmpeg |
| Fixed in version | 7:3.2.14-1~deb9u1 |
| Description | This update addresses the following issues: * The flv_write_packet function in libavformat/flvenc.c does not check for an empty audio packet, leading to an assertion failure. (CVE-2018-15822) * FFmpeg contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provided as input to FFmpeg. (CVE-2018-1999011) * Denial of service in subtitle decoder allows attackers to hog CPU via crafted video file (CVE-2019-9718) * libavcodec/hevcdec.c mishandles detection of duplicate first slices, which allows remote attackers to cause a denial of service (NULL pointer dereference and out-of-array access) or possibly have unspecified other impact via crafted HEVC data. (CVE-2019-11338) |
| Additional notes | |
| CVE ID | CVE-2018-15822 CVE-2018-1999011 CVE-2019-9718 CVE-2019-11338 |
| UCS Bug number | #49545 |
