CVE-2016-10192

NameCVE-2016-10192
DescriptionHeap-based buffer overflow in ffserver.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check chunk size.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ffmpeg (PTS)stretch (security), stretch7:3.2.9-1~deb9u1fixed
buster, sid7:3.4.1-1fixed
libav (PTS)wheezy6:0.8.17-2undetermined
wheezy (security)6:0.8.21-0+deb7u1undetermined
jessie (security), jessie6:11.11-1~deb8u1undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ffmpegsource(unstable)7:3.2.2-1high
libavsource(unstable)undeterminedhigh

Notes

Patch: https://github.com/FFmpeg/FFmpeg/commit/a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156
http://www.openwall.com/lists/oss-security/2017/01/31/12

Search for package or bug name: Reporting problems