Attacker can simple put m3u8 in media container and get access to your local file( for example password). I recommend build ffmpeg with --disable-network http://news.softpedia.com/news/zero-day-ffmpeg-vulnerability-lets-anyone-steal-files-from-remote-machines-498880.shtml
Thomas, can you mark 2.8.5 update (the fix) as MFH candidate? It'd be nice to start having quaterly branches updated: 2.8.x for 2016Q1. ffmpeg has pretty wide attack surface (numerious codecs, demuxers, filters, etc) even excluding external libraries. http://abi-laboratory.pro/tracker/timeline/ffmpeg/index.html
(In reply to Jan Beich from comment #1) Yes, absolutely. Testing the 2.8.5 update right now, and looks good so far. If I don't encounter anything out of the ordinary, it will hit the tree soon.
A commit references this bug: Author: riggs Date: Sun Jan 17 09:58:37 UTC 2016 New revision: 406290 URL: https://svnweb.freebsd.org/changeset/ports/406290 Log: Upgrade to upstream release 2.8.5; fix zero-day remote vulnerability Both mentioned CVE IDs refer to vulnerabilities where a remote attacker can read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file. The new release fixes those in the process. PR: 206282 Reported by: sasamotikomi@gmail.com MFH: 2016Q1 Security: CVE-2016-1897 CVE-2016-1898 Changes: head/multimedia/ffmpeg/Makefile head/multimedia/ffmpeg/distinfo
A commit references this bug: Author: riggs Date: Sun Jan 17 10:12:17 UTC 2016 New revision: 406293 URL: https://svnweb.freebsd.org/changeset/ports/406293 Log: Document zero day remote vulnerability in ffmpeg 2.0.0 - 2.8.4 PR: 206282 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: riggs Date: Sun Jan 17 10:14:49 UTC 2016 New revision: 406294 URL: https://svnweb.freebsd.org/changeset/ports/406294 Log: MFH: r406290 Upgrade to upstream release 2.8.5; fix zero-day remote vulnerability Both mentioned CVE IDs refer to vulnerabilities where a remote attacker can read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file. The new release fixes those in the process. PR: 206282 Reported by: sasamotikomi@gmail.com Security: CVE-2016-1897 CVE-2016-1898 Approved by: ports-secteam (miwi) Changes: _U branches/2016Q1/ branches/2016Q1/multimedia/ffmpeg/Makefile branches/2016Q1/multimedia/ffmpeg/distinfo