CVE-2018-1999011

CVE-2018-1999011

Name

CVE-2018-1999011

Description

FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provided as input to FFmpeg. This vulnerability appears to have been fixed in 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 and later.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Issue Tracking	https://github.com/FFmpeg/FFmpeg/commit/2b46ebdbff1d8dec7a3d8ea280a612b91a582869
Third Party Advisory	http://www.securityfocus.com/bid/104896
BUGTRAQ	https://seclists.org/bugtraq/2019/May/60
DEBIAN	https://www.debian.org/security/2019/dsa-4449

Type

URI

Issue Tracking

https://github.com/FFmpeg/FFmpeg/commit/2b46ebdbff1d8dec7a3d8ea280a612b91a582869

Third Party Advisory

http://www.securityfocus.com/bid/104896

BUGTRAQ

https://seclists.org/bugtraq/2019/May/60

DEBIAN

https://www.debian.org/security/2019/dsa-4449

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:ffmpeg:ffmpeg::::::::`	ffmpeg	>= None	<= 4.0.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*

ffmpeg

>= None

<= 4.0.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
ffmpeg5	edge-community	4.0.2-r0	None	fixed
ffmpeg4	edge-community	4.0.2-r0	None	fixed
ffmpeg4	3.22-community	4.0.2-r0	None	fixed
ffmpeg4	3.21-community	4.0.2-r0	None	fixed
ffmpeg4	3.20-community	4.0.2-r0	None	fixed
ffmpeg4	3.19-community	4.0.2-r0	None	fixed
ffmpeg4	3.18-community	4.0.2-r0	None	fixed
ffmpeg4	3.17-community	4.0.2-r0	None	fixed
ffmpeg	edge-community	4.0.2-r0	None	fixed
ffmpeg	edge-community	4.0.1-r0	None	possibly vulnerable
ffmpeg	edge-community	4.0.0-r0	None	possibly vulnerable
ffmpeg	edge-community	3.4.4-r0	None	possibly vulnerable
ffmpeg	edge-community	3.4.3-r0	None	possibly vulnerable
ffmpeg	edge-community	3.3.4-r0	None	possibly vulnerable
ffmpeg	3.22-community	4.0.2-r0	None	fixed
ffmpeg	3.22-community	4.0.1-r0	None	possibly vulnerable
ffmpeg	3.22-community	4.0.0-r0	None	possibly vulnerable
ffmpeg	3.22-community	3.4.4-r0	None	possibly vulnerable
ffmpeg	3.22-community	3.4.3-r0	None	possibly vulnerable
ffmpeg	3.22-community	3.3.4-r0	None	possibly vulnerable
ffmpeg	3.21-community	4.0.2-r0	None	fixed
ffmpeg	3.20-community	4.0.2-r0	None	fixed
ffmpeg	3.19-community	4.0.2-r0	None	fixed
ffmpeg	3.18-community	4.0.2-r0	None	fixed
ffmpeg	3.17-community	4.0.2-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

ffmpeg5

edge-community

4.0.2-r0

None

fixed

ffmpeg4

edge-community