Candidate: CVE-2017-14767
PublicDate: 2017-09-27 08:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14767
 https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2
 https://github.com/FFmpeg/FFmpeg/commit/c42a1388a6d1bfd8001bf6a4241d8ca27e49326d
Description:
 The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c in
 FFmpeg before 3.3.4 mishandles empty sprop-parameter-sets values, which
 allows remote attackers to cause a denial of service (heap buffer overflow)
 or possibly have unspecified other impact via a crafted sdp file.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]

Patches_libav:
upstream_libav: needs-triage
precise/esm_libav: DNE
trusty_libav: not-affected (code not present)
trusty/esm_libav: DNE (trusty was not-affected [code not present])
vivid/ubuntu-core_libav: DNE
xenial_libav: DNE
zesty_libav: DNE
artful_libav: DNE
bionic_libav: DNE
cosmic_libav: DNE
devel_libav: DNE

Patches_ffmpeg:
upstream_ffmpeg: released (7:3.3.4-1)
precise/esm_ffmpeg: DNE
trusty_ffmpeg: DNE
trusty/esm_ffmpeg: DNE
vivid/ubuntu-core_ffmpeg: DNE
xenial_ffmpeg: released (7:2.8.14-0ubuntu0.16.04.1)
zesty_ffmpeg: ignored (reached end-of-life)
artful_ffmpeg: ignored (reached end-of-life)
bionic_ffmpeg: not-affected (7:3.4-1)
cosmic_ffmpeg: not-affected (7:3.4-1)
devel_ffmpeg: not-affected (7:3.4-1)