http://bugzilla.opensuse.org/show_bug.cgi?id=1022921 Bug ID: 1022921 Summary: VUL-0: ffmpeg: remote exploitaion results code execution [ 2 - libavformat/rtmppkt.c ] Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/245 =================================================== This letter is a result of research made by Emil Lerner <neex.emil () gmail com <mailto:neex.emil () gmail com>> and Pavel Cheremushkin <paulcher () seclab cs msu su <mailto:paulcher () seclab cs msu su>> and it is supposed to disclosed multiple issues we managed to find and exploit in FFmpeg software. Despite that all vulnerabilities have been successfully patched by FFmpeg developers this letter is supposed to clarify all these issues and show that they are exploitable. --[ 2 - libavformat/rtmppkt.c ] Issue is connected with buffer overflow on the heap in RTMP protocol. After a bit of reverse engineering of RTMP protocol you can notice that it uses chunk (of max 0x80 bytes) to _transfer_ data, but chunks of more size could be used to _store_ the data. Because size of packet is not check that it is the same as it was in the same transmission you can first send packet with smaller size and then bigger size, and this results heap-overflow[1]. If you can align chunks right you can achieve white-what-where condition and that results and RCE. * [1] - https://github.com/FFmpeg/FFmpeg/blob/d903b4e3ad4a81b3dd79f12c2f3b9cb16e5111... The issue was fixed in https://github.com/FFmpeg/FFmpeg/commit/7d57ca4d9a75562fa32e40766211de150f8b... =================================================== Comment on Ref: http://seclists.org/oss-sec/2017/q1/251 =================================================== In case anyone else is curious, here are the corresponding commits reachable from the n3.2.2 release tag: https://github.com/FFmpeg/FFmpeg/commit/32b95471a86ae383c0f76361d954aec511f7... =================================================== (open-)SUSE: https://software.opensuse.org/package/ffmpeg TW: 3.2.22 42.2: 3.2 42.1: 2.8.8 -- You are receiving this mail because: You are on the CC list for the bug.