PublicDateAtUSN: 2015-11-26
Candidate: CVE-2015-8365
PublicDate: 2015-11-26 17:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8365
 https://ubuntu.com/security/notices/USN-2944-1
Description:
 The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before
 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not verify that the
 data size is consistent with the number of channels, which allows remote
 attackers to cause a denial of service (out-of-bounds array access) or
 possibly have unspecified other impact via crafted Smacker data.
Ubuntu-Description:
Notes:
 mdeslaur> as of 2016-03-31, no equivalent fix in libav
 ebarretto> as of 2018-09-27, no equivalent fix in libav
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1523692
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_ffmpeg:
 upstream: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4a9af07a49295e014b059c1ab624c40345af5892
upstream_ffmpeg: needs-triage
precise_ffmpeg: DNE
precise/esm_ffmpeg: DNE
trusty_ffmpeg: DNE
trusty/esm_ffmpeg: DNE
vivid_ffmpeg: released (7:2.5.9-0ubuntu0.15.04.1)
vivid/stable-phone-overlay_ffmpeg: DNE
vivid/ubuntu-core_ffmpeg: DNE
wily_ffmpeg: not-affected (7:2.7.3-0ubuntu0.15.10.1)
xenial_ffmpeg: not-affected (7:2.8.3-1)
yakkety_ffmpeg: not-affected (7:2.8.3-1)
zesty_ffmpeg: not-affected (7:2.8.3-1)
artful_ffmpeg: not-affected (7:2.8.3-1)
bionic_ffmpeg: not-affected (7:2.8.3-1)
devel_ffmpeg: not-affected (7:2.8.3-1)

Patches_libav:
upstream_libav: needs-triage
precise_libav: released (4:0.8.17-0ubuntu0.12.04.2)
precise/esm_libav: DNE (precise was released [4:0.8.17-0ubuntu0.12.04.2])
trusty_libav: ignored
trusty/esm_libav: DNE (trusty was ignored)
vivid_libav: ignored (reached end-of-life)
vivid/stable-phone-overlay_libav: DNE
vivid/ubuntu-core_libav: DNE
wily_libav: DNE
xenial_libav: DNE
yakkety_libav: DNE
zesty_libav: DNE
artful_libav: DNE
bionic_libav: DNE
devel_libav: DNE