Alpine: multiple ffmpeg packages: security update to 3.2.8-r0

high Tenable Self-Hosted Container Security Plugin ID 404301

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c in FFmpeg before 3.3.4 mishandles
empty sprop-parameter-sets values, which allows remote attackers to cause a denial of service (heap buffer
overflow) or possibly have unspecified other impact via a crafted sdp file. (CVE-2017-14767)

- In libavformat/rmdec.c in FFmpeg 3.3.3, a DoS in ivr_read_header() due to lack of an EOF (End of File)
check might cause huge CPU consumption. When a crafted IVR file, which claims a large "len" field in the
header but does not contain sufficient backing data, is provided, the first type==4 loop would consume
huge CPU resources, since there is no EOF check inside the loop. (CVE-2017-14054)

- In libavformat/mvdec.c in FFmpeg 3.3.3, a DoS in mv_read_header() due to lack of an EOF (End of File)
check might cause huge CPU and memory consumption. When a crafted MV file, which claims a large
"nb_frames" field in the header but does not contain sufficient backing data, is provided, the loop over
the frames would consume huge CPU and memory resources, since there is no EOF check inside the loop.
(CVE-2017-14055)

- In libavformat/rl2.c in FFmpeg 3.3.3, a DoS in rl2_read_header() due to lack of an EOF (End of File) check
might cause huge CPU and memory consumption. When a crafted RL2 file, which claims a large "frame_count"
field in the header but does not contain sufficient backing data, is provided, the loops (for offset and
size tables) would consume huge CPU and memory resources, since there is no EOF check inside these loops.
(CVE-2017-14056)

- In FFmpeg 3.3.3, a DoS in asf_read_marker() due to lack of an EOF (End of File) check might cause huge CPU
and memory consumption. When a crafted ASF file, which claims a large "name_len" or "count" field in the
header but does not contain sufficient backing data, is provided, the loops over the name and markers
would consume huge CPU and memory resources, since there is no EOF check inside these loops.
(CVE-2017-14057)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-14054

https://security.alpinelinux.org/vuln/CVE-2017-14055

https://security.alpinelinux.org/vuln/CVE-2017-14056

https://security.alpinelinux.org/vuln/CVE-2017-14057

https://security.alpinelinux.org/vuln/CVE-2017-14058

https://security.alpinelinux.org/vuln/CVE-2017-14059

https://security.alpinelinux.org/vuln/CVE-2017-14169

https://security.alpinelinux.org/vuln/CVE-2017-14170

https://security.alpinelinux.org/vuln/CVE-2017-14171

https://security.alpinelinux.org/vuln/CVE-2017-14222

https://security.alpinelinux.org/vuln/CVE-2017-14223

https://security.alpinelinux.org/vuln/CVE-2017-14225

https://security.alpinelinux.org/vuln/CVE-2017-14767

Plugin Details

Severity: High

ID: 404301

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-14767

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 8/31/2017

Reference Information

CVE: CVE-2017-14054, CVE-2017-14055, CVE-2017-14056, CVE-2017-14057, CVE-2017-14058, CVE-2017-14059, CVE-2017-14169, CVE-2017-14170, CVE-2017-14171, CVE-2017-14222, CVE-2017-14223, CVE-2017-14225, CVE-2017-14767

BID: 100626, 100627, 100628, 100629, 100630, 100631, 100692, 100700, 100701, 100703, 100704, 100706, 101019