vendor:
libquicktime
by:
qflb.wu
6,5
CVSS
MEDIUM
Denial of Service
119, 787
CWE
Product Name: libquicktime
Affected Version From: 1.2.4
Affected Version To: 1.2.4
Patch Exists: YES
Related CWE: CVE-2017-9122, CVE-2017-9123
CPE: 2.3:a:libquicktime:libquicktime:1.2.4
Metasploit:
https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-9122/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2017-9122/, https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2017-9122/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2017-9123/, https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-9123/, https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2017-9123/
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2017
libquicktime multiple vulnerabilities
The libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library. The quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file. The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.
Mitigation:
Upgrade to the latest version of libquicktime.
