Summary: | <media-video/libav-11.6: stealing local files with HLS+concat (CVE-2016-{1897,1898}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | media-video, slawomir.nizio |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/01/13/3 | ||
Whiteboard: | A4 [glsa cve cleanup] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 600706 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-01-14 10:18:06 UTC
CVE-2016-1898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1898): FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file. CVE-2016-1897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1897): FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file. Upstreams resolution was to disable concat per default: https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.6#l7 We have disabled concat as well, https://gitweb.gentoo.org/repo/gentoo.git/tree/media-video/libav/libav-11.6.ebuild?id=699e5ef7bf5d2f62bff41d508796ae60403a8adb#n180 Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s). This issue was resolved and addressed in GLSA 201705-08 at https://security.gentoo.org/glsa/201705-08 by GLSA coordinator Kristian Fiskerstrand (K_F). |