| Bug ID | 1022920 |
|---|---|
| Summary | VUL-0: ffmpeg: remote exploitaion results code execution [ 1 - libavformat/http.c ] |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 42.2 |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | security-team@suse.de |
| Reporter | mikhail.kasimov@gmail.com |
| QA Contact | qa-bugs@suse.de |
| Found By | --- |
| Blocker | --- |
Ref: http://seclists.org/oss-sec/2017/q1/245 =================================================== This letter is a result of research made by Emil Lerner <neex.emil () gmail com <mailto:neex.emil () gmail com>> and Pavel Cheremushkin <paulcher () seclab cs msu su <mailto:paulcher () seclab cs msu su>> and it is supposed to disclosed multiple issues we managed to find and exploit in FFmpeg software. Despite that all vulnerabilities have been successfully patched by FFmpeg developers this letter is supposed to clarify all these issues and show that they are exploitable. --[ 1 - libavformat/http.c ] After executing of http_read_stream we read each http header, where we pass "Transfer-Encoding: chunked��� header, and we come into http_buf_read function [1]. Due to incorrect use of strtoll function and integer sizes (chunk_size in int64_t)[2], it was possible to pass negative chunk_size in chunk encoding, so after computing final size using FFMIN function later on it would be passed as argument to avio_read function. This results a heap-overflow which we found out to be exploitable, because overflowed buffer is allocated right next to the AVIOContext structure[3]. Overflowing function pointer in this structure immediately results rip control and then code execution. * [1] - https://github.com/FFmpeg/FFmpeg/blob/51020adcecf4004c1586a708d96acc6cbddd050a/libavformat/http.c#L1166 * [2] - https://github.com/FFmpeg/FFmpeg/blob/51020adcecf4004c1586a708d96acc6cbddd050a/libavformat/http.c#L1259 * [3] - https://github.com/FFmpeg/FFmpeg/blob/51020adcecf4004c1586a708d96acc6cbddd050a/libavformat/aviobuf.c#L899 This issue was fixed in https://github.com/FFmpeg/FFmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa =================================================== Comment on Ref: http://seclists.org/oss-sec/2017/q1/251 =================================================== In case anyone else is curious, here are the corresponding commits reachable from the n3.2.2 release tag: https://github.com/FFmpeg/FFmpeg/commit/0e0a413725e0221e1a9d0b7595e22bf57e23a09c =================================================== (open-)SUSE: https://software.opensuse.org/package/ffmpeg TW: 3.2.22 42.2: 3.2 42.1: 2.8.8