http://bugzilla.opensuse.org/show_bug.cgi?id=1022921
Bug ID: 1022921
Summary: VUL-0: ffmpeg: remote exploitaion results code
execution [ 2 - libavformat/rtmppkt.c ]
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@suse.de
Reporter: mikhail.kasimov@gmail.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
Ref: http://seclists.org/oss-sec/2017/q1/245
===================================================
This letter is a result of research made by Emil Lerner > and
Pavel Cheremushkin > and it is supposed to disclosed
multiple issues we managed to find and exploit in FFmpeg software. Despite that
all vulnerabilities have been
successfully patched by FFmpeg developers this letter is supposed to clarify
all these issues and show that they are
exploitable.
--[ 2 - libavformat/rtmppkt.c ]
Issue is connected with buffer overflow on the heap in RTMP protocol. After a
bit of reverse engineering of RTMP
protocol you can notice that it uses chunk (of max 0x80 bytes) to _transfer_
data, but chunks of more size could be
used to _store_ the data. Because size of packet is not check that it is the
same as it was in the same transmission
you can first send packet with smaller size and then bigger size, and this
results heap-overflow[1]. If you can align
chunks right you can achieve white-what-where condition and that results and
RCE.
* [1] -
https://github.com/FFmpeg/FFmpeg/blob/d903b4e3ad4a81b3dd79f12c2f3b9cb16e5111...
The issue was fixed in
https://github.com/FFmpeg/FFmpeg/commit/7d57ca4d9a75562fa32e40766211de150f8b...
===================================================
Comment on Ref: http://seclists.org/oss-sec/2017/q1/251
===================================================
In case anyone else is curious, here are the corresponding commits
reachable from the n3.2.2 release tag:
https://github.com/FFmpeg/FFmpeg/commit/32b95471a86ae383c0f76361d954aec511f7...
===================================================
(open-)SUSE: https://software.opensuse.org/package/ffmpeg
TW: 3.2.22
42.2: 3.2
42.1: 2.8.8
--
You are receiving this mail because:
You are on the CC list for the bug.