CVE-2017-9993

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

References

Affected packages

Git / github.com/ffmpeg/ffmpeg

Affected ranges

Type

GIT

Repo

https://github.com/ffmpeg/ffmpeg

Events

Introduced

Fixed

ffab459e4e491384756cf8bae0f3922c5e4f6271

Introduced

c40983a6f631d22fede713d535bb9c31d5c9740c

Fixed

a2d9595a4b4e0e6fe85683ff79774fd618b282cc

Introduced

340cea9f22c162e10d120835661e132721b7454b

Fixed

431ccd3f55eae8732fe901622660c52fc712cc25

Introduced

efa89a841941bf61d1a3eb5c2900f98e3e7db85b

Fixed

6d7192bcb7bbab17dc194e8dbb56c208bced0a92

Introduced

Last affected

140fd653aed8cad774f991ba083e2d01e86420c7

Fixed

189ff4219644532bdfa7bab28dfedaee4d6d4021

Fixed

a5d849b149ca67ced2d271dc84db0bc95a548abb

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.8.12"
        },
        {
            "introduced": "3.0"
        },
        {
            "fixed": "3.1.9"
        },
        {
            "introduced": "3.2"
        },
        {
            "fixed": "3.2.6"
        },
        {
            "introduced": "3.3"
        },
        {
            "fixed": "3.3.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0"
        }
    ]
}

Affected versions

n3.*

n3.2-dev

n3.3-dev

n3.4-dev

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    }
]

vanir_signatures

[
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "libavformat/avidec.c",
            "function": "read_gab2_sub"
        },
        "id": "CVE-2017-9993-0b18ff5d",
        "deprecated": false,
        "source": "https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb",
        "digest": {
            "function_hash": "100093900058542799657889733734995495217",
            "length": 1723.0
        }
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "libavformat/avidec.c"
        },
        "id": "CVE-2017-9993-193a3aba",
        "deprecated": false,
        "source": "https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb",
        "digest": {
            "line_hashes": [
                "247647588641104728213418509410831448062",
                "210452344144348706880714598537528074252",
                "114642071758997392080199538347251752333"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "libavformat/hls.c",
            "function": "open_url"
        },
        "id": "CVE-2017-9993-1e057fb8",
        "deprecated": false,
        "source": "https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021",
        "digest": {
            "function_hash": "257983092419843509256040459780787130368",
            "length": 1418.0
        }
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "libavformat/hls.c"
        },
        "id": "CVE-2017-9993-fb437f3f",
        "deprecated": false,
        "source": "https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021",
        "digest": {
            "line_hashes": [
                "203502386244361887724902566458987754824",
                "16964987273774486397817083865857283257",
                "141704045537463233543622030142289086163",
                "84024654689120089223240706499637257499",
                "9068505603049988846850622761422986305",
                "326956143841571710063172647790829892873",
                "325329167976874793589187196805427456989",
                "108423924755251432220890115302295076355",
                "192732936803302232881769054923691155627",
                "312204071381423099927987894530916434070",
                "43764614645023624833614649909112426728",
                "314333908702926658478912859270766703185",
                "309502367116977254817880116671407519583"
            ],
            "threshold": 0.9
        }
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9993.json"