FFmpeg 2.0 libavcodec/snow.h add_yblock memory corruption

A vulnerability classified as problematic has been found in FFmpeg 2.0. This affects the function add_yblock of the file libavcodec/snow.h. The manipulation leads to memory corruption. The CWE definition for the vulnerability is CWE-119. The issue has been introduced in 07/11/2013. The weakness was presented 02/16/2014 by Mateusz Jurczyk and Gynvael Coldwind (j00ru) with Google Security Team as avcodec/snow: split block clipping checks as GIT Commit (GIT Repository). The advisory is shared at git.videolan.org. This vulnerability is uniquely identified as CVE-2014-125009. It is possible to initiate the attack remotely. Technical details are available. There is no exploit available. The price for an exploit might be around USD $0-$5k at the moment. The vulnerability was handled as a non-public zero-day exploit for at least 220 days. We expect the 0-day to have been worth approximately $0-$5k. The bugfix is ready for download at git.videolan.org. It is recommended to apply a patch to fix this issue. A possible mitigation has been published even before and not after the disclosure of the vulnerability. The vulnerability is also documented other vulnerability databases: SecurityFocus (BID 65671), X-Force (91258) and Secunia (SA57066).

Field02/24/2014 08:1804/17/2019 07:5006/17/2022 23:28
typeMultimedia Processing SoftwareMultimedia Processing SoftwareMultimedia Processing Software
nameFFmpegFFmpegFFmpeg
version2.02.02.0
filelibavcodec/snow.hlibavcodec/snow.hlibavcodec/snow.h
functionadd_yblockadd_yblockadd_yblock
introductiondate137350080013735008001373500800
risk111
cvss2_vuldb_basescore4.34.34.3
cvss2_vuldb_tempscore3.23.23.2
cvss2_vuldb_avNNN
cvss2_vuldb_acMMM
cvss2_vuldb_auNNN
cvss2_vuldb_ciNNN
cvss2_vuldb_iiNNN
cvss2_vuldb_aiPPP
cvss3_meta_basescore5.35.35.3
cvss3_meta_tempscore4.64.64.6
cvss3_vuldb_basescore5.35.35.3
cvss3_vuldb_tempscore4.64.64.6
date1392508800 (02/16/2014)1392508800 (02/16/2014)1392508800 (02/16/2014)
locationGIT RepositoryGIT RepositoryGIT Repository
typeGIT CommitGIT CommitGIT Commit
urlhttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=61d59703c91869f4e5cdacd8d6be52f8b89d4ba4http://git.videolan.org/?p=ffmpeg.git;a=commit;h=61d59703c91869f4e5cdacd8d6be52f8b89d4ba4http://git.videolan.org/?p=ffmpeg.git;a=commit;h=61d59703c91869f4e5cdacd8d6be52f8b89d4ba4
identifieravcodec/snow: split block clipping checksavcodec/snow: split block clipping checksavcodec/snow: split block clipping checks
person_nameMateusz Jurczyk/Gynvael ColdwindMateusz Jurczyk/Gynvael ColdwindMateusz Jurczyk/Gynvael Coldwind
person_websitehttp://www.google.comhttp://www.google.comhttp://www.google.com
company_nameGoogle Security TeamGoogle Security TeamGoogle Security Team
price_0day$0-$5k$0-$5k$0-$5k
namePatchPatchPatch
patch_urlhttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=61d59703c91869f4e5cdacd8d6be52f8b89d4ba4http://git.videolan.org/?p=ffmpeg.git;a=commit;h=61d59703c91869f4e5cdacd8d6be52f8b89d4ba4http://git.videolan.org/?p=ffmpeg.git;a=commit;h=61d59703c91869f4e5cdacd8d6be52f8b89d4ba4
secunia570665706657066
secunia_titleFFmpeg Multiple VulnerabilitiesFFmpeg Multiple VulnerabilitiesFFmpeg Multiple Vulnerabilities
secunia_riskLess CriticalLess CriticalLess Critical
securityfocus656716567165671
securityfocus_titleFFmpeg Multiple Security VulnerabilitiesFFmpeg Multiple Security VulnerabilitiesFFmpeg Multiple Security Vulnerabilities
xforce912589125891258
xforce_titleFFmpeg add_yblock() denial of serviceFFmpeg add_yblock() denial of serviceFFmpeg add_yblock() denial of service
xforce_identifierffmpeg-addyblock-dosffmpeg-addyblock-dosffmpeg-addyblock-dos
xforce_riskMedium RiskMedium RiskMedium Risk
seealso12389 12390 12391 1239212389 12390 12391 1239212389 12390 12391 12392
cwe119 (memory corruption)119 (memory corruption)119 (memory corruption)
cvss2_vuldb_eUUU
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_rcCCC
cvss3_vuldb_eUUU
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
0day_days220220220
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cNNN
cvss3_vuldb_iNNN
cvss3_vuldb_aLLL
person_nicknamej00ruj00ru
secunia_date1392768000 (02/19/2014)1392768000 (02/19/2014)
securityfocus_date1392681600 (02/18/2014)1392681600 (02/18/2014)
securityfocus_classBoundary Condition ErrorBoundary Condition Error
cveCVE-2014-125009
responsibleVulDB

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!