Alpine: multiple ffmpeg packages: security update to 3.3.3-r0 (deprecated)

high Tenable Cloud Security Plugin ID 400818

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer
depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the
avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also
conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name
calls within the ffprobe command-line program.) (CVE-2017-14225)

- In libavformat/rmdec.c in FFmpeg 3.3.3, a DoS in ivr_read_header() due to lack of an EOF (End of File)
check might cause huge CPU consumption. When a crafted IVR file, which claims a large "len" field in the
header but does not contain sufficient backing data, is provided, the first type==4 loop would consume
huge CPU resources, since there is no EOF check inside the loop. (CVE-2017-14054)

- In libavformat/mvdec.c in FFmpeg 3.3.3, a DoS in mv_read_header() due to lack of an EOF (End of File)
check might cause huge CPU and memory consumption. When a crafted MV file, which claims a large
"nb_frames" field in the header but does not contain sufficient backing data, is provided, the loop over
the frames would consume huge CPU and memory resources, since there is no EOF check inside the loop.
(CVE-2017-14055)

- In libavformat/rl2.c in FFmpeg 3.3.3, a DoS in rl2_read_header() due to lack of an EOF (End of File) check
might cause huge CPU and memory consumption. When a crafted RL2 file, which claims a large "frame_count"
field in the header but does not contain sufficient backing data, is provided, the loops (for offset and
size tables) would consume huge CPU and memory resources, since there is no EOF check inside these loops.
(CVE-2017-14056)

- In FFmpeg 3.3.3, a DoS in asf_read_marker() due to lack of an EOF (End of File) check might cause huge CPU
and memory consumption. When a crafted ASF file, which claims a large "name_len" or "count" field in the
header but does not contain sufficient backing data, is provided, the loops over the name and markers
would consume huge CPU and memory resources, since there is no EOF check inside these loops.
(CVE-2017-14057)

See Also

https://git.alpinelinux.org/aports/commit/?id=2d14ba7a5f1f6f839d85540ab93afe18dca7d624

https://git.alpinelinux.org/aports/commit/?id=88fc3caf3e4a94e9dc7529de69d1e4bb8cdc654e

Plugin Details

Severity: High

ID: 400818

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-14225

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/21/2017

Vulnerability Publication Date: 8/31/2017

Reference Information

CVE: CVE-2017-14054, CVE-2017-14055, CVE-2017-14056, CVE-2017-14057, CVE-2017-14058, CVE-2017-14059, CVE-2017-14169, CVE-2017-14170, CVE-2017-14171, CVE-2017-14222, CVE-2017-14223, CVE-2017-14225

BID: 100626, 100627, 100628, 100629, 100630, 100631, 100692, 100700, 100701, 100703, 100704, 100706