Vulnerability Details : CVE-2017-14169
In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, an integer signedness error might occur when a crafted file, which claims a large "item_num" field such as 0xffffffff, is provided. As a result, the variable "item_num" turns negative, bypassing the check for a large value.
Vulnerability category: Input validation
Products affected by CVE-2017-14169
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:3.3.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-14169
0.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-14169
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-14169
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-14169
-
https://lists.debian.org/debian-lts-announce/2019/02/msg00005.html
[SECURITY] [DLA 1654-1] libav security updateThird Party Advisory
-
http://www.debian.org/security/2017/dsa-3996
Debian -- Security Information -- DSA-3996-1 ffmpegThird Party Advisory
-
https://github.com/FFmpeg/FFmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad
avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() · FFmpeg/FFmpeg@9d00fb9 · GitHubIssue Tracking;Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/100692
FFmpeg 'libavformat/mxfdec.c' Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://github.com/FFmpeg/FFmpeg/commit/a4e85b2e1c8d5b4bf0091157bbdeb0e457fb7b8f
avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() · FFmpeg/FFmpeg@a4e85b2 · GitHub
Jump to