CVE-2017-9993

NameCVE-2017-9993
DescriptionFFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1630-1, DSA-3957-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ffmpeg (PTS)stretch (security)7:3.2.18-0+deb9u1fixed
stretch (lts), stretch7:3.2.19-0+deb9u5fixed
buster, buster (lts)7:4.1.11-0+deb10u2fixed
buster (security)7:4.1.11-0+deb10u1fixed
bullseye7:4.3.7-0+deb11u1fixed
bullseye (security)7:4.3.8-0+deb11u1fixed
bookworm (security), bookworm7:5.1.6-0+deb12u1fixed
sid, trixie7:7.1-3fixed
libav (PTS)jessie, jessie (lts)6:11.12-1~deb8u9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ffmpegsourcestretch7:3.2.7-1~deb9u1DSA-3957-1
ffmpegsource(unstable)7:3.2.6-1
libavsourcewheezy(unfixed)end-of-life
libavsourcejessie6:11.12-1~deb8u4DLA-1630-1
libavsource(unstable)(unfixed)

Notes

https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb
Fixed in 3.2.6
Jessie is only partially affected. Only the second commit is
relevant. HTTP Live Streaming filename extension code is not present.

Search for package or bug name: Reporting problems