CVE-2017-14767

Name	CVE-2017-14767
Description	The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c in FFmpeg before 3.3.4 mishandles empty sprop-parameter-sets values, which allows remote attackers to cause a denial of service (heap buffer overflow) or possibly have unspecified other impact via a crafted sdp file.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1630-1, DSA-3996-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ffmpeg (PTS)	bullseye	7:4.3.7-0+deb11u1	fixed
	bullseye (security)	7:4.3.8-0+deb11u3	fixed
	bookworm, bookworm (security)	7:5.1.6-0+deb12u1	fixed
	sid, trixie	7:7.1.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
ffmpeg	source	stretch	7:3.2.8-1~deb9u1	DSA-3996-1
ffmpeg	source	(unstable)	7:3.3.4-1
libav	source	jessie	6:11.12-1~deb8u4	DLA-1630-1
libav	source	(unstable)	(unfixed)

Notes

https://github.com/FFmpeg/FFmpeg/commit/c42a1388a6d1bfd8001bf6a4241d8ca27e49326d
Fixed in 3.2.8
The check is completely missing in Jessie. It should be added.