search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ffmpeg and Libav cross-domain information disclosure vulnerability

Vulnerability Note VU#772447

Original Release Date: 2016-01-20 | Last Revised: 2016-03-10

Overview

ffmpeg is a "cross-platform solution to record, convert and stream audio and video". ffmpeg is vulnerable to local file disclosure due to improper enforcement of domain restrictions when processing playlist files.

Description

CWE-201: Information Exposure Through Sent Data - CVE-2016-1897, CVE-2016-1898

When a user opens a maliciously crafted playlist file in ffmpeg, ffmpeg will query a server for remote data. By carefully crafting the playlist, an attacker can cause ffmpeg to request internet URIs that expose file:// content from the victim's machine. CVE-2016-1897 refers to an issue with processing playlists that use concatenations, while CVE-2016-1898 refers to a related issue with subfiles.

According to a mailing list post from MITRE's CVE team:

The essential problem is that a crafted file forces the victim to visit an arbitrary external URL, but this URL is constructed using data from the victim's local filesystem.

More details are provided by the researcher in a blog post (in Russian).

Libav is a fork of ffmpeg and is also vulnerable.

Impact

By causing a specially-crafted playlist file to be processed with ffmpeg or Libav, a remote attacker may acquire file contents from a vulnerable system. In some circumstances, this may occur without explicit user interaction (such as the creation of a thumbnail preview by a file manager).

Solution

Apply an update

ffmpeg version 2.8.5 has been released to address this issue. Affected users are encouraged to update as soon as possible.

Vendor Information

772447
 
Affected   Unknown   Unaffected

Alpine Linux

Updated:  January 20, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Arch Linux

Notified:  January 20, 2016 Updated:  January 20, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Debian GNU/Linux

Notified:  January 20, 2016 Updated:  January 20, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Gentoo Linux

Notified:  January 20, 2016 Updated:  January 20, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Libav

Updated:  January 20, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Notified:  January 20, 2016 Updated:  January 20, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Ubuntu

Notified:  January 20, 2016 Updated:  January 20, 2016

Statement Date:   January 20, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We've sponsored updates for Ubuntu 15.04 (ffmpeg 7:2.5.10-0ubuntu0.15.04.1) and Ubuntu 15.10 (ffmpeg 7:2.7.5-0ubuntu0.15.10.1).

Vendor References

VideoLAN

Updated:  January 21, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

ffmpeg

Updated:  January 20, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CentOS

Notified:  January 20, 2016 Updated:  January 21, 2016

Statement Date:   January 21, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

Red Hat ships only qffmpeg, which is a stripped-down fork of ffmpeg that is not vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  January 20, 2016 Updated:  March 10, 2016

Statement Date:   March 10, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OmniTI

Notified:  January 20, 2016 Updated:  January 20, 2016

Statement Date:   January 20, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Neither of these (ffmpeg or libav) are in OmniOS. They may be in unsupported 3rd-party packages, but they are not in OmniOS itself.

Red Hat, Inc.

Notified:  January 20, 2016 Updated:  January 21, 2016

Statement Date:   January 21, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

Red Hat ships only qffmpeg, which is a stripped-down fork of ffmpeg that is not vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  January 20, 2016 Updated:  January 20, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    CoreOS

    Notified:  January 20, 2016 Updated:  January 20, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      DesktopBSD

      Notified:  January 20, 2016 Updated:  January 20, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        DragonFly BSD Project

        Notified:  January 20, 2016 Updated:  January 20, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          EMC Corporation

          Notified:  January 20, 2016 Updated:  January 20, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            F5 Networks, Inc.

            Notified:  January 20, 2016 Updated:  January 20, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Fedora Project

              Notified:  January 20, 2016 Updated:  January 20, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                FreeBSD Project

                Notified:  January 20, 2016 Updated:  January 20, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Hardened BSD

                  Notified:  January 20, 2016 Updated:  January 20, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Hewlett Packard Enterprise

                    Notified:  January 20, 2016 Updated:  January 20, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Hitachi

                      Notified:  January 20, 2016 Updated:  January 20, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        IBM Corporation

                        Notified:  January 20, 2016 Updated:  January 20, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          IBM eServer

                          Notified:  January 20, 2016 Updated:  January 20, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Juniper Networks

                            Notified:  January 20, 2016 Updated:  January 20, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              NEC Corporation

                              Notified:  January 20, 2016 Updated:  January 20, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                NetBSD

                                Notified:  January 20, 2016 Updated:  January 20, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Nokia

                                  Notified:  January 20, 2016 Updated:  January 20, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Openwall GNU/*/Linux

                                    Notified:  January 20, 2016 Updated:  January 20, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Oracle Corporation

                                      Notified:  January 20, 2016 Updated:  January 20, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        PC-BSD

                                        Notified:  January 20, 2016 Updated:  January 20, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          QNX Software Systems Inc.

                                          Notified:  January 20, 2016 Updated:  January 20, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Slackware Linux Inc.

                                            Notified:  January 20, 2016 Updated:  January 21, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor Information

                                            We are not aware of further vendor information regarding this vulnerability.

                                            Sony Corporation

                                            Notified:  January 20, 2016 Updated:  January 20, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Turbolinux

                                              Notified:  January 20, 2016 Updated:  January 20, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Unisys

                                                Notified:  January 20, 2016 Updated:  January 20, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  m0n0wall

                                                  Notified:  January 20, 2016 Updated:  January 20, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    openSUSE project

                                                    Notified:  January 20, 2016 Updated:  January 20, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      View all 40 vendors View less vendors


                                                      CVSS Metrics

                                                      Group Score Vector
                                                      Base 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
                                                      Temporal 3.9 E:POC/RL:OF/RC:C
                                                      Environmental 2.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                                      References

                                                      Acknowledgements

                                                      This vulnerability was publicly disclosed by Maxim Andreev.

                                                      This document was written by Garret Wassermann and Will Dormann.

                                                      Other Information

                                                      CVE IDs: CVE-2016-1897, CVE-2016-1898
                                                      Date Public: 2016-01-12
                                                      Date First Published: 2016-01-20
                                                      Date Last Updated: 2016-03-10 22:02 UTC
                                                      Document Revision: 47

                                                      Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.