Alpine: ffmpeg4: security update to 4.0.2-r0

critical Tenable Self-Hosted Container Security Plugin ID 425994

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access
vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack
appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in
cced03dd667a5df6df8fd40d8de0bff477ee02e8 and later. (CVE-2018-1999010)

- In FFmpeg 4.0.1, due to a missing check of a profile value before setting it, the
ff_mpeg4_decode_picture_header function in libavcodec/mpeg4videodec.c may trigger a NULL pointer
dereference while converting a crafted AVI file to MPEG4, leading to a denial of service. (CVE-2018-13301)

- In FFmpeg 4.0.1, a missing check for failure of a call to init_get_bits8() in the avpriv_ac3_parse_header
function in libavcodec/ac3_parser.c may trigger a NULL pointer dereference while converting a crafted AVI
file to MPEG4, leading to a denial of service. (CVE-2018-13303)

- In libavcodec in FFmpeg 4.0.1, improper maintenance of the consistency between the context profile field
and studio_profile in libavcodec may trigger an assertion failure while converting a crafted AVI file to
MPEG4, leading to a denial of service, related to error_resilience.c, h263dec.c, and mpeg4videodec.c.
(CVE-2018-13304)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-13301

https://security.alpinelinux.org/vuln/CVE-2018-13303

https://security.alpinelinux.org/vuln/CVE-2018-13304

https://security.alpinelinux.org/vuln/CVE-2018-1999010

https://security.alpinelinux.org/vuln/CVE-2018-1999011

https://security.alpinelinux.org/vuln/CVE-2018-1999012

https://security.alpinelinux.org/vuln/CVE-2018-1999013

https://security.alpinelinux.org/vuln/CVE-2018-1999014

https://security.alpinelinux.org/vuln/CVE-2018-1999015

Plugin Details

Severity: Critical

ID: 425994

Version: Revision 1.3

Type: Local

Published: 5/16/2025

Updated: 10/1/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-1999010

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/5/2018

Reference Information

CVE: CVE-2018-13301, CVE-2018-13303, CVE-2018-13304, CVE-2018-1999010, CVE-2018-1999011, CVE-2018-1999012, CVE-2018-1999013, CVE-2018-1999014, CVE-2018-1999015

BID: 104675, 104896