Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 572050

Summary: media-video/ffmpeg allows exfiltration of system files
Product: Gentoo Security Reporter: Linear Systems Tech Svcs. <linear-techs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Linear Systems Tech Svcs. 2016-01-16 01:35:57 UTC 
A recently published vulnerability in the httpapple/HLS demuxer in ffmpeg will allow an attacker to craft a media file to get system files sent out of the target system.


The original post (in Russian, with exploit code examples):

http://habrahabr.ru/company/mailru/blog/274855/


Google translation of the page:

https://translate.google.com/translate?sl=ru&tl=en&u=http%3A%2F%2Fhabrahabr.ru%2Fcompany%2Fmailru%2Fblog%2F274855%2F


Post on ArchLinux bugzilla:

https://bugs.archlinux.org/task/47738


Post of a write-up for a CTF challenge using the vulnerability (from 2 months ago):

https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/web/super-turbo-atomic-gif-converter
Comment 1 Brian Evans (RETIRED) gentoo-dev 2016-01-16 01:47:09 UTC 

*** This bug has been marked as a duplicate of bug 571868 ***