Linux Bugs

Blackmagic fixes critical execution flaws in DaVinci Resolve code

Blackmagic Software recently fixed two security vulnerabilities in the very popular DaVinci Resolve software that would allow attackers to obtain code execution on unpatched systems.

DaVinci Solve is a free software platform that combines video editing and color correction, visual effects, motion graphics, and audio post-production tools in a single solution.

As its developer Blackmagic claims, DaVinci Resolve is “Hollywood’s most popular editing solution” for Mac, Windows, and Linux.

Critical remote code execution faults

The two remote code execution (RCE) security vulnerabilities, tracked as CVE-2021-40417 and CVE-2021-40418, were discovered by security researchers at Cisco Talos and are evaluated with a CVSSv3 severity score of 9.8 / 10.

They are both caused by weaknesses found in DaVinci Resolve’s DPDecoder service and are triggered by a heap-based buffer overflow when decoding a video file or an incorrect UUID when parsing video files.

“[CVE-2021-40417] is a heap-based buffer overflow vulnerability that occurs when the application experiences an integer overflow condition that leads to a sign extension when attempting to decode a video file, ” Cisco Talos explained.

“Alternatively, [CVE-2021-40418] could also lead to code execution, but is instead triggered as a result of an uninitialized object member as a result of an incorrect UUID. “

Bugs can be exploited by remote threat actors in low complexity attacks, with successful exploitation not requiring user authentication or interaction.

Patches available

Cisco Talos discovered the two code execution vulnerabilities during the analysis of DaVinci Resolve, version 17.3.1.0005.

Blackmagic has since fixed both bugs, and users are encouraged to update to DaVinci Resolve 17.4.3 on latest published version for their platform, as soon as possible.

“Cisco Talos has worked with Blackmagic to ensure that these issues are resolved and that an update is available to affected customers,” said the Cisco Talos team.

You can find detailed information on how to install DaVinci Resolve software on your device in the DaVinci Resolve 17.4.3 Change Log, released earlier this week.


Source link