A recently published vulnerability in the httpapple/HLS demuxer in ffmpeg will allow an attacker to craft a media file to get system files sent out of the target system. The original post (in Russian, with exploit code examples): http://habrahabr.ru/company/mailru/blog/274855/ Google translation of the page: https://translate.google.com/translate?sl=ru&tl=en&u=http%3A%2F%2Fhabrahabr.ru%2Fcompany%2Fmailru%2Fblog%2F274855%2F Post on ArchLinux bugzilla: https://bugs.archlinux.org/task/47738 Post of a write-up for a CTF challenge using the vulnerability (from 2 months ago): https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/web/super-turbo-atomic-gif-converter
*** This bug has been marked as a duplicate of bug 571868 ***