CVE-2016-5199
Published: 11 November 2016
An off by one error resulting in an allocation of zero size in FFmpeg in Google Chrome prior to 54.0.2840.98 for Mac, and 54.0.2840.99 for Windows, and 54.0.2840.100 for Linux, and 55.0.2883.84 for Android allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
Notes
Author | Note |
---|---|
ebarretto | Could not find the same affected code on xenial version. The fix came on version 3.2 and xenial is on 2.8.14 where that function does not exist and there was no similar code. |
Priority
Status
Package | Release | Status |
---|---|---|
chromium-browser Launchpad, Ubuntu, Debian |
artful |
Released
(55.0.2883.87-0ubuntu1)
|
bionic |
Released
(55.0.2883.87-0ubuntu1)
|
|
precise |
Ignored
|
|
trusty |
Released
(58.0.3029.81-0ubuntu0.14.04.1172)
|
|
upstream |
Released
(54.0.2840.100)
|
|
xenial |
Released
(55.0.2883.87-0ubuntu0.16.04.1263)
|
|
yakkety |
Released
(55.0.2883.87-0ubuntu0.16.10.1328)
|
|
zesty |
Released
(55.0.2883.87-0ubuntu1)
|
|
ffmpeg Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Released
(7:3.2-1)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(7:3.2-1)
|
|
xenial |
Not vulnerable
(code not present)
|
|
yakkety |
Released
(7:3.0.5-0ubuntu0.16.10.1)
|
|
zesty |
Ignored
(end of life)
|
|
libav Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
oxide-qt Launchpad, Ubuntu, Debian |
artful |
Released
(1.19.6-0ubuntu2)
|
bionic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Released
(1.18.5-0ubuntu0.14.04.1)
|
|
upstream |
Pending
(1.18.5)
|
|
xenial |
Released
(1.18.5-0ubuntu0.16.04.1)
|
|
yakkety |
Released
(1.18.5-0ubuntu0.16.10.1)
|
|
zesty |
Released
(1.19.6-0ubuntu2)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |