Detections
Analytics
TencentOS Server 4: ffmpeg (TSSA-2024:0511)
high Nessus Plugin ID 239902
Synopsis
The remote TencentOS Server 4 host is missing one or more security updates.Description
The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0511 advisory.Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:
CVE-2024-7055:
A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651.
CVE-2024-36617:
FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder.
CVE-2024-36616:
An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file.
CVE-2024-36618:
FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition.
CVE-2024-35368:
FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c.
CVE-2024-36615:
FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
CVE-2024-36619:
FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavcodec library which allows for an integer overflow when handling certain block types, leading to a denial-of-service (DoS) condition.
CVE-2024-35367:
FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer
Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://mirrors.tencent.com/tlinux/errata/tssa-20240511.xml
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7055
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36617
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36616
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36618
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35368
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36619
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35367
Plugin Details
Severity: High
ID: 239902
File Name: tencentos_TSSA_2024_0511.nasl
Version: 1.1
Type: local
Family: Tencent Local Security Checks
Published: 6/16/2025
Updated: 6/16/2025
Supported Sensors: Nessus
Vulnerability Information
CPE: p-cpe:/a:tencent:tencentos_server:ffmpeg, cpe:/o:tencent:tencentos_server:4
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 12/10/2024
Vulnerability Publication Date: 12/10/2024