CVE-2016-7970 Fedoraproject CVE debrief

Who should care

Teams that ship, package, or embed libass should care most, especially maintainers of media players, subtitle renderers, and Linux distributions noted in the NVD CPE data. Fedora 23/24/25 and any environment using libass before 0.13.4 are specifically called out in the source corpus.

Technical summary

The issue is a memory-safety flaw: a buffer overflow in libass's calc_coeff function (ass_blur.c). According to NVD, the weakness maps to CWE-119 and the CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating remote, low-complexity denial-of-service potential without privileges or user interaction. The vulnerable libass version range ends at 0.13.3, and the fix is present in 0.13.4.

Defensive priority

High. The vulnerability is remotely reachable in the CVSS assessment and can disrupt availability, so patching or upgrading should be prioritized wherever untrusted subtitle/media content is processed.

Recommended defensive actions

• Upgrade libass to version 0.13.4 or later.
• Verify whether any bundled or vendored libass copies are still at 0.13.3 or earlier.
• Check Fedora 23/24/25 or other affected package streams for backported fixes from the referenced advisories.
• Review applications that process untrusted subtitle content and ensure they receive patched libass builds.
• Use vendor and distro advisories to confirm the remediation state of packaged dependencies.

Evidence notes

The NVD record describes a buffer overflow in calc_coeff in libass/ass_blur.c affecting libass before 0.13.4, with CWE-119 and a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The source references include an oss-security mailing list post dated 2016-10-05, a libass 0.13.4 release tag, a libass pull request commit, Red Hat bug tracking, and Gentoo/Fedora advisories, which together support the existence of a patch and downstream remediation.

Official resources