Bug 206282 - multimedia/ffmpeg zero-day vulnerability HLS
Summary: multimedia/ffmpeg zero-day vulnerability HLS
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Thomas Zander
URL: https://ffmpeg.org/security.html
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-01-15 02:58 UTC by sasamotikomi
Modified: 2016-01-17 10:19 UTC (History)
4 users (show)

See Also:
riggs: maintainer-feedback+
riggs: merge-quarterly+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description sasamotikomi 2016-01-15 02:58:20 UTC 
Attacker can simple put m3u8 in media container and get access to your local file( for example password).
I recommend build ffmpeg with --disable-network

http://news.softpedia.com/news/zero-day-ffmpeg-vulnerability-lets-anyone-steal-files-from-remote-machines-498880.shtml
Comment 1 Jan Beich freebsd_committer freebsd_triage 2016-01-17 03:04:18 UTC 
Thomas, can you mark 2.8.5 update (the fix) as MFH candidate? It'd be nice to start having quaterly branches updated: 2.8.x for 2016Q1. ffmpeg has pretty wide attack surface (numerious codecs, demuxers, filters, etc) even excluding external libraries.

http://abi-laboratory.pro/tracker/timeline/ffmpeg/index.html
Comment 2 Thomas Zander freebsd_committer freebsd_triage 2016-01-17 08:10:36 UTC 
(In reply to Jan Beich from comment #1)

Yes, absolutely. Testing the 2.8.5 update right now, and looks good so far. If I don't encounter anything out of the ordinary, it will hit the tree soon.
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-01-17 09:58:57 UTC 
A commit references this bug:

Author: riggs
Date: Sun Jan 17 09:58:37 UTC 2016
New revision: 406290
URL: https://svnweb.freebsd.org/changeset/ports/406290

Log:
  Upgrade to upstream release 2.8.5; fix zero-day remote vulnerability

  Both mentioned CVE IDs refer to vulnerabilities where a remote attacker
  can read arbitrary files by using the subfile protocol in an HTTP Live
  Streaming (HLS) M3U8 file. The new release fixes those in the process.

  PR:		206282
  Reported by:	sasamotikomi@gmail.com
  MFH:		2016Q1
  Security:	CVE-2016-1897
  		CVE-2016-1898

Changes:
  head/multimedia/ffmpeg/Makefile
  head/multimedia/ffmpeg/distinfo
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-01-17 10:13:00 UTC 
A commit references this bug:

Author: riggs
Date: Sun Jan 17 10:12:17 UTC 2016
New revision: 406293
URL: https://svnweb.freebsd.org/changeset/ports/406293

Log:
  Document zero day remote vulnerability in ffmpeg 2.0.0 - 2.8.4

  PR:		206282

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-01-17 10:15:02 UTC 
A commit references this bug:

Author: riggs
Date: Sun Jan 17 10:14:49 UTC 2016
New revision: 406294
URL: https://svnweb.freebsd.org/changeset/ports/406294

Log:
  MFH: r406290

  Upgrade to upstream release 2.8.5; fix zero-day remote vulnerability

  Both mentioned CVE IDs refer to vulnerabilities where a remote attacker
  can read arbitrary files by using the subfile protocol in an HTTP Live
  Streaming (HLS) M3U8 file. The new release fixes those in the process.

  PR:		206282
  Reported by:	sasamotikomi@gmail.com
  Security:	CVE-2016-1897
  		CVE-2016-1898
  Approved by:	ports-secteam (miwi)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/multimedia/ffmpeg/Makefile
  branches/2016Q1/multimedia/ffmpeg/distinfo