ffmpeg is a "cross-platform solution to record, convert and stream audio and video". ffmpeg is vulnerable to local file disclosure due to improper enforcement of domain restrictions when processing playlist files.
CWE-201: Information Exposure Through Sent Data - CVE-2016-1897, CVE-2016-1898
When a user opens a maliciously crafted playlist file in ffmpeg, ffmpeg will query a server for remote data. By carefully crafting the playlist, an attacker can cause ffmpeg to request internet URIs that expose file:// content from the victim's machine. CVE-2016-1897 refers to an issue with processing playlists that use concatenations, while CVE-2016-1898 refers to a related issue with subfiles.
By causing a specially-crafted playlist file to be processed with ffmpeg or Libav, a remote attacker may acquire file contents from a vulnerable system. In some circumstances, this may occur without explicit user interaction (such as the creation of a thumbnail preview by a file manager).
Apply an update
This vulnerability was publicly disclosed by Maxim Andreev.
This document was written by Garret Wassermann and Will Dormann.