ffmpeg and Libav cross-domain information disclosure vulnerability

2016-01-20T00:00:00
ID VU:772447
Type cert
Reporter Maxim Andreev
Modified 2016-03-10T22:02:00

Description

Overview

ffmpeg is a "cross-platform solution to record, convert and stream audio and video". ffmpeg is vulnerable to local file disclosure due to improper enforcement of domain restrictions when processing playlist files.

Description

CWE-201: Information Exposure Through Sent Data - CVE-2016-1897, CVE-2016-1898

When a user opens a maliciously crafted playlist file in ffmpeg, ffmpeg will query a server for remote data. By carefully crafting the playlist, an attacker can cause ffmpeg to request internet URIs that expose file:// content from the victim's machine. CVE-2016-1897 refers to an issue with processing playlists that use concatenations, while CVE-2016-1898 refers to a related issue with subfiles.

According to a mailing list post from MITRE's CVE team:

The essential problem is that a crafted file forces the victim to visit an arbitrary external URL, but this URL is constructed using data from the victim's local filesystem.

More details are provided by the researcher in a blog post (in Russian).

Libav is a fork of ffmpeg and is also vulnerable.


Impact

By causing a specially-crafted playlist file to be processed with ffmpeg or Libav, a remote attacker may acquire file contents from a vulnerable system. In some circumstances, this may occur without explicit user interaction (such as the creation of a thumbnail preview by a file manager).


Solution

Apply an update

ffmpeg version 2.8.5 has been released to address this issue. Affected users are encouraged to update as soon as possible.


Vendor Information

772447

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Alpine Linux Affected

Updated: January 20, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://bugs.alpinelinux.org/issues/5029>

Arch Linux Affected

Notified: January 20, 2016 Updated: January 20, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <https://bugs.archlinux.org/task/47738>
  • <https://lists.archlinux.org/pipermail/arch-security/2016-January/000522.html>

Debian GNU/Linux Affected

Notified: January 20, 2016 Updated: January 20, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <https://security-tracker.debian.org/tracker/CVE-2016-1897>

Gentoo Linux Affected

Notified: January 20, 2016 Updated: January 20, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Libav Affected

Updated: January 20, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Affected

Notified: January 20, 2016 Updated: January 20, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <https://www.suse.com/security/cve/CVE-2016-1897.html>
  • <https://bugzilla.suse.com/show_bug.cgi?id=961937>

Ubuntu __ Affected

Notified: January 20, 2016 Updated: January 20, 2016

Statement Date: January 20, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We've sponsored updates for Ubuntu 15.04 (ffmpeg 7:2.5.10-0ubuntu0.15.04.1) and Ubuntu 15.10 (ffmpeg 7:2.7.5-0ubuntu0.15.10.1).

Vendor References

  • <https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367>

VideoLAN Affected

Updated: January 21, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://git.videolan.org/gitweb.cgi/ffmpeg.git/?p=ffmpeg.git;a=commitdiff;h=7145e80b4f78cff5ed5fee04d4c4d53daaa0e077>
  • <http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ba42b6482c725a59eb468391544dc0c75b8c6f0>

ffmpeg Affected

Updated: January 20, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <https://www.ffmpeg.org/security.html>

CentOS __ Not Affected

Notified: January 20, 2016 Updated: January 21, 2016

Statement Date: January 21, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Addendum

Red Hat ships only qffmpeg, which is a stripped-down fork of ffmpeg that is not vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation Not Affected

Notified: January 20, 2016 Updated: March 10, 2016

Statement Date: March 10, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OmniTI __ Not Affected

Notified: January 20, 2016 Updated: January 20, 2016

Statement Date: January 20, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Neither of these (ffmpeg or libav) are in OmniOS. They may be in unsupported 3rd-party packages, but they are not in OmniOS itself.

Red Hat, Inc. __ Not Affected

Notified: January 20, 2016 Updated: January 21, 2016

Statement Date: January 21, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Addendum

Red Hat ships only qffmpeg, which is a stripped-down fork of ffmpeg that is not vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CoreOS Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

FreeBSD Project Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hardened BSD Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett Packard Enterprise Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Openwall GNU/*/Linux Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

PC-BSD Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: January 20, 2016 Updated: January 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

openSUSE project Unknown

Notified: January 20, 2016 Updated: January 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 40 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 5 | AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal | 3.9 | E:POC/RL:OF/RC:C
Environmental | 2.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • <http://habrahabr.ru/company/mailru/blog/274855>
  • <http://www.openwall.com/lists/oss-security/2016/01/14/1>

Acknowledgements

This vulnerability was publicly disclosed by Maxim Andreev.

This document was written by Garret Wassermann and Will Dormann.

Other Information

CVE IDs: | CVE-2016-1897, CVE-2016-1898
---|---
Date Public: | 2016-01-12
Date First Published: | 2016-01-20
Date Last Updated: | 2016-03-10 22:02 UTC
Document Revision: | 49