CVE-2016-5199
Publication date 11 November 2016
Last updated 24 July 2024
Ubuntu priority
An off by one error resulting in an allocation of zero size in FFmpeg in Google Chrome prior to 54.0.2840.98 for Mac, and 54.0.2840.99 for Windows, and 54.0.2840.100 for Linux, and 55.0.2883.84 for Android allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| chromium-browser | 18.04 LTS bionic |
Fixed 55.0.2883.87-0ubuntu1
|
| 16.04 LTS xenial |
Fixed 55.0.2883.87-0ubuntu0.16.04.1263
|
|
| 14.04 LTS trusty |
Fixed 58.0.3029.81-0ubuntu0.14.04.1172
|
|
| ffmpeg | 18.04 LTS bionic |
Fixed 7:3.2-1
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| libav | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Not affected
|
|
| oxide-qt | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial |
Fixed 1.18.5-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 1.18.5-0ubuntu0.14.04.1
|
|
Notes
ebarretto
Could not find the same affected code on xenial version. The fix came on version 3.2 and xenial is on 2.8.14 where that function does not exist and there was no similar code.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3133-1
- Oxide vulnerabilities
- 1 December 2016