CVE-2018-1999012

CVE-2018-1999012

Name

CVE-2018-1999012

Description

FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially crafted PVA file has to be provided as input. This vulnerability appears to have been fixed in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 and later.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Issue Tracking	https://github.com/FFmpeg/FFmpeg/commit/9807d3976be0e92e4ece3b4b1701be894cd7c2e1
Third Party Advisory	http://www.securityfocus.com/bid/104896
MLIST	https://lists.debian.org/debian-lts-announce/2019/03/msg00041.html

Type

URI

Issue Tracking

https://github.com/FFmpeg/FFmpeg/commit/9807d3976be0e92e4ece3b4b1701be894cd7c2e1

Third Party Advisory

http://www.securityfocus.com/bid/104896

MLIST

https://lists.debian.org/debian-lts-announce/2019/03/msg00041.html

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:ffmpeg:ffmpeg::::::::`	ffmpeg	>= None	<= 4.0.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*

ffmpeg

>= None

<= 4.0.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
ffmpeg5	edge-community	4.0.2-r0	None	fixed
ffmpeg4	edge-community	4.0.2-r0	None	fixed
ffmpeg4	3.22-community	4.0.2-r0	None	fixed
ffmpeg4	3.21-community	4.0.2-r0	None	fixed
ffmpeg4	3.20-community	4.0.2-r0	None	fixed
ffmpeg4	3.19-community	4.0.2-r0	None	fixed
ffmpeg4	3.18-community	4.0.2-r0	None	fixed
ffmpeg4	3.17-community	4.0.2-r0	None	fixed
ffmpeg	edge-community	4.0.2-r0	None	fixed
ffmpeg	edge-community	4.0.1-r0	None	possibly vulnerable
ffmpeg	edge-community	4.0.0-r0	None	possibly vulnerable
ffmpeg	edge-community	3.4.4-r0	None	possibly vulnerable
ffmpeg	edge-community	3.4.3-r0	None	possibly vulnerable
ffmpeg	edge-community	3.3.4-r0	None	possibly vulnerable
ffmpeg	3.22-community	4.0.2-r0	None	fixed
ffmpeg	3.22-community	4.0.1-r0	None	possibly vulnerable
ffmpeg	3.22-community	4.0.0-r0	None	possibly vulnerable
ffmpeg	3.22-community	3.4.4-r0	None	possibly vulnerable
ffmpeg	3.22-community	3.4.3-r0	None	possibly vulnerable
ffmpeg	3.22-community	3.3.4-r0	None	possibly vulnerable
ffmpeg	3.21-community	4.0.2-r0	None	fixed
ffmpeg	3.20-community	4.0.2-r0	None	fixed
ffmpeg	3.19-community	4.0.2-r0	None	fixed
ffmpeg	3.18-community	4.0.2-r0	None	fixed
ffmpeg	3.17-community	4.0.2-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

ffmpeg5

edge-community

4.0.2-r0

None

fixed

ffmpeg4

edge-community