[3.3] Ffmpeg: stealing local files with HLS+concat CVE-2016-1897 and CVE-2016-1898
Description
Ffmpeg 2.x allows reading local files and sending them over network using a specially crafted video file. This affects not only file conversion (including thumbnail generation), but also any other operations that involve ffmpeg processing your file — for example, ffprobe is affected.
Several new point releases (2.8.5, 2.7.5, 2.6.7, 2.5.10) fix various bugs, as well as CVE-2016-1897 and CVE-2016-1898. Please see the changelog for each release for more details.
CVE-2016-1897
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.
CVE-2016-1898
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file.
References
http://www.openwall.com/lists/oss-security/2016/01/14/1
http://habrahabr.ru/company/mailru/blog/274855/
https://www.ffmpeg.org/index.html\#news
(from redmine: issue id 5029, created on 2016-01-18, closed on 2017-04-08)
- Changesets:
- Revision 8c68262f by Natanael Copa on 2016-01-20T08:17:53Z:
main/ffmpeg: security upgrade to 2.8.5 (CVE-2016-1897,CVE-2016-1898)
ref #5029
- Revision 403c9df3 by Natanael Copa on 2016-01-20T08:23:12Z:
main/ffmpeg: security upgrade to 2.8.5 (CVE-2016-1897,CVE-2016-1898)
fixes #5029
(cherry picked from commit 8c68262f6d9619eceb4ba3e573dce34318e3c3dd)