UBUNTU-CVE-2025-59729
- Source
- https://ubuntu.com/security/CVE-2025-59729
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59729.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-59729
- Upstream
- Published
- 2025-10-06T08:15:00Z
- Modified
- 2026-01-20T18:33:48.148404Z
- Severity
-
- 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer. If we load a DHAV file that is larger than MAXDURATIONBUFFERSIZE bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have endbuffersize = 0x100000, and at [2] we have endbufferpos = 0x1000. The loop then scans backwards through the buffer looking for the dhav tag; when it is found, we'll calculate endpos based on a 32-bit offset read from the buffer. There is subsequently a check [3] that endpos is within the section of the file that has been copied into endbuffer, but it only correctly handles the cases where endpos is before the start of the file or after the section copied into endbuffer, and not the case where endpos is within the the file, but before the section copied into endbuffer. If we provide such an offset, (endpos - endbuffer_pos) can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation. We recommend upgrading to version 8.0 or beyond.
- References
Affected packages
Ubuntu:Pro:14.04:LTS / libav
Package
- Name
- libav
- Purl
- pkg:deb/ubuntu/libav@6:9.20-0ubuntu0.14.04.1+esm1?arch=source&distro=esm-infra-legacy/trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6:0.*
6:9.*
Ecosystem specific
{
"binaries": [
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libav-tools"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavcodec-dev"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavcodec-extra"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavcodec-extra-54"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavcodec54"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavdevice-dev"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavdevice-extra-53"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavdevice53"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavfilter-dev"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavfilter-extra-3"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavfilter3"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavformat-dev"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavformat-extra-54"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavformat54"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavresample-dev"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavresample1"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavutil-dev"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavutil-extra-52"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libavutil52"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libswscale-dev"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libswscale-extra-2"
},
{
"binary_version": "6:9.20-0ubuntu0.14.04.1+esm1",
"binary_name": "libswscale2"
}
]
}