CVE-2017-9993

NameCVE-2017-9993
DescriptionFFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3957-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ffmpeg (PTS)stretch7:3.2.5-1vulnerable
stretch (security)7:3.2.7-1~deb9u1fixed
buster, sid7:3.3.4-1fixed
libav (PTS)wheezy6:0.8.17-2undetermined
wheezy (security)6:0.8.20-0+deb7u1undetermined
jessie (security), jessie6:11.9-1~deb8u1undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ffmpegsource(unstable)7:3.2.6-1medium
ffmpegsourcestretch7:3.2.7-1~deb9u1mediumDSA-3957-1
libavsource(unstable)undeterminedmedium

Notes

https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb
Fixed in 3.2.6

Search for package or bug name: Reporting problems