CVE-2017-9993

NameCVE-2017-9993
DescriptionFFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ffmpeg (PTS)stretch7:3.2.5-1vulnerable
buster7:3.2.6-1fixed
sid7:3.3.2-1fixed
libav (PTS)wheezy6:0.8.17-2undetermined
wheezy (security)6:0.8.20-0+deb7u1undetermined
jessie (security), jessie6:11.9-1~deb8u1undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ffmpegsource(unstable)7:3.2.6-1medium
libavsource(unstable)undeterminedmedium

Notes

https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb

Search for package or bug name: Reporting problems