PublicDateAtUSN: 2016-11-11
Candidate: CVE-2016-5199
PublicDate: 2017-01-19 05:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5199
 https://chromium-review.googlesource.com/383956
 https://github.com/FFmpeg/FFmpeg/commit/347cb14b7cba7560e53f4434b419b9d8800253e7
 https://ubuntu.com/security/notices/USN-3133-1
Description:
 An off by one error resulting in an allocation of zero size in FFmpeg in
 Google Chrome prior to 54.0.2840.98 for Mac, and 54.0.2840.99 for Windows,
 and 54.0.2840.100 for Linux, and 55.0.2883.84 for Android allowed a remote
 attacker to potentially exploit heap corruption via a crafted video file.
Ubuntu-Description:
Notes:
 ebarretto> Could not find the same affected code on xenial version. The
 ebarretto> fix came on version 3.2 and xenial is on 2.8.14 where that
 ebarretto> function does not exist and there was no similar code.
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]

Patches_chromium-browser:
upstream_chromium-browser: released (54.0.2840.100)
precise_chromium-browser: ignored
precise/esm_chromium-browser: DNE (precise was ignored)
trusty_chromium-browser: released (58.0.3029.81-0ubuntu0.14.04.1172)
trusty/esm_chromium-browser: DNE (trusty was released [58.0.3029.81-0ubuntu0.14.04.1172])
vivid/ubuntu-core_chromium-browser: DNE
vivid/stable-phone-overlay_chromium-browser: DNE
xenial_chromium-browser: released (55.0.2883.87-0ubuntu0.16.04.1263)
yakkety_chromium-browser: released (55.0.2883.87-0ubuntu0.16.10.1328)
zesty_chromium-browser: released (55.0.2883.87-0ubuntu1)
artful_chromium-browser: released (55.0.2883.87-0ubuntu1)
bionic_chromium-browser: released (55.0.2883.87-0ubuntu1)
devel_chromium-browser: released (55.0.2883.87-0ubuntu1)

Patches_oxide-qt:
upstream_oxide-qt: pending (1.18.5)
precise_oxide-qt: DNE
precise/esm_oxide-qt: DNE
trusty_oxide-qt: released (1.18.5-0ubuntu0.14.04.1)
trusty/esm_oxide-qt: DNE (trusty was released [1.18.5-0ubuntu0.14.04.1])
vivid/ubuntu-core_oxide-qt: DNE
vivid/stable-phone-overlay_oxide-qt: released (1.19.7-0ubuntu0.15.04.1~overlay1)
xenial_oxide-qt: released (1.18.5-0ubuntu0.16.04.1)
esm-infra/xenial_oxide-qt: released (1.18.5-0ubuntu0.16.04.1)
yakkety_oxide-qt: released (1.18.5-0ubuntu0.16.10.1)
zesty_oxide-qt: released (1.19.6-0ubuntu2)
artful_oxide-qt: released (1.19.6-0ubuntu2)
bionic_oxide-qt: DNE
devel_oxide-qt: DNE

Patches_libav:
upstream_libav: needs-triage
precise_libav: ignored (reached end-of-life)
precise/esm_libav: DNE (precise was needs-triage)
trusty_libav: not-affected (code not present)
trusty/esm_libav: DNE (trusty was not-affected [code not present])
vivid/stable-phone-overlay_libav: DNE
vivid/ubuntu-core_libav: DNE
xenial_libav: DNE
yakkety_libav: DNE
zesty_libav: DNE
artful_libav: DNE
bionic_libav: DNE
devel_libav: DNE

Patches_ffmpeg:
upstream_ffmpeg: released (7:3.2-1)
precise_ffmpeg: DNE
precise/esm_ffmpeg: DNE
trusty_ffmpeg: DNE
trusty/esm_ffmpeg: DNE
vivid/stable-phone-overlay_ffmpeg: DNE
vivid/ubuntu-core_ffmpeg: DNE
xenial_ffmpeg: not-affected (code not present)
yakkety_ffmpeg: released (7:3.0.5-0ubuntu0.16.10.1)
zesty_ffmpeg: ignored (reached end-of-life)
artful_ffmpeg: ignored (reached end-of-life)
bionic_ffmpeg: released (7:3.2-1)
devel_ffmpeg: released (7:3.2-1)