Maxim AndreevVU:772447ffmpeg and Libav cross-domain information disclosure vulnerability
0.005 Low
EPSS
Percentile
77.0%
Overview
ffmpeg is a “cross-platform solution to record, convert and stream audio and video”. ffmpeg is vulnerable to local file disclosure due to improper enforcement of domain restrictions when processing playlist files.
Description
CWE-201**: Information Exposure Through Sent Data**** -CVE-2016-1897,**CVE-2016-1898
When a user opens a maliciously crafted playlist file in ffmpeg, ffmpeg will query a server for remote data. By carefully crafting the playlist, an attacker can cause ffmpeg to request internet URIs that expose file:// content from the victim’s machine. CVE-2016-1897 refers to an issue with processing playlists that use concatenations, while CVE-2016-1898 refers to a related issue with subfiles.
According to a mailing list post from MITRE’s CVE team:
The essential problem is that a crafted file forces the victim to visit an arbitrary external URL, but this URL is constructed using data from the victim’s local filesystem.
More details are provided by the researcher in a blog post (in Russian).
Libav is a fork of ffmpeg and is also vulnerable.
Impact
By causing a specially-crafted playlist file to be processed with ffmpeg or Libav, a remote attacker may acquire file contents from a vulnerable system. In some circumstances, this may occur without explicit user interaction (such as the creation of a thumbnail preview by a file manager).
Solution
Apply an update
ffmpeg version 2.8.5 has been released to address this issue. Affected users are encouraged to update as soon as possible.
Vendor Information
772447
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Alpine Linux Affected
Updated: January 20, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Arch Linux Affected
Notified: January 20, 2016 Updated: January 20, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- <https://bugs.archlinux.org/task/47738>
- <https://lists.archlinux.org/pipermail/arch-security/2016-January/000522.html>
Debian GNU/Linux Affected
Notified: January 20, 2016 Updated: January 20, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Gentoo Linux Affected
Notified: January 20, 2016 Updated: January 20, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Libav Affected
Updated: January 20, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SUSE Linux Affected
Notified: January 20, 2016 Updated: January 20, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- <https://www.suse.com/security/cve/CVE-2016-1897.html>
- <https://bugzilla.suse.com/show_bug.cgi?id=961937>
Ubuntu __ Affected
Notified: January 20, 2016 Updated: January 20, 2016
Statement Date: January 20, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We’ve sponsored updates for Ubuntu 15.04 (ffmpeg 7:2.5.10-0ubuntu0.15.04.1) and Ubuntu 15.10 (ffmpeg 7:2.7.5-0ubuntu0.15.10.1).
Vendor References
VideoLAN Affected
Updated: January 21, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- <http://git.videolan.org/gitweb.cgi/ffmpeg.git/?p=ffmpeg.git;a=commitdiff;h=7145e80b4f78cff5ed5fee04d4c4d53daaa0e077>
- <http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ba42b6482c725a59eb468391544dc0c75b8c6f0>
ffmpeg Affected
Updated: January 20, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
CentOS __ Not Affected
Notified: January 20, 2016 Updated: January 21, 2016
Statement Date: January 21, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Addendum
Red Hat ships only qffmpeg, which is a stripped-down fork of ffmpeg that is not vulnerable.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23772447 Feedback>).
Microsoft Corporation Not Affected
Notified: January 20, 2016 Updated: March 10, 2016
Statement Date: March 10, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
OmniTI __ Not Affected
Notified: January 20, 2016 Updated: January 20, 2016
Statement Date: January 20, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Neither of these (ffmpeg or libav) are in OmniOS. They may be in unsupported 3rd-party packages, but they are not in OmniOS itself.
Red Hat, Inc. __ Not Affected
Notified: January 20, 2016 Updated: January 21, 2016
Statement Date: January 21, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Addendum
Red Hat ships only qffmpeg, which is a stripped-down fork of ffmpeg that is not vulnerable.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23772447 Feedback>).
Apple Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CoreOS Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DesktopBSD Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DragonFly BSD Project Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EMC Corporation Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
F5 Networks, Inc. Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fedora Project Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
FreeBSD Project Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hardened BSD Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hewlett Packard Enterprise Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM eServer Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Juniper Networks Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NEC Corporation Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NetBSD Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nokia Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Openwall GNU/*/Linux Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Oracle Corporation Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PC-BSD Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Slackware Linux Inc. Unknown
Notified: January 20, 2016 Updated: January 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sony Corporation Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Unisys Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
openSUSE project Unknown
Notified: January 20, 2016 Updated: January 20, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
View all 40 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Temporal | 3.9 | E:POC/RL:OF/RC:C |
| Environmental | 2.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <http://habrahabr.ru/company/mailru/blog/274855>
- <http://www.openwall.com/lists/oss-security/2016/01/14/1>
Acknowledgements
This vulnerability was publicly disclosed by Maxim Andreev.
This document was written by Garret Wassermann and Will Dormann.
Other Information
| CVE IDs: | CVE-2016-1897, CVE-2016-1898 |
|---|---|
| Date Public: | 2016-01-12 Date First Published: |
Related
