Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerability Discovered In FFmpeg Lets Attackers Steal Files Remotely

Posted by timothy on from the which-point-in-the-stack dept.

prisoninmate writes: A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, has been discovered recently by Russian programmer Maxim Andreev in the current stable builds of the software. It appears to let anyone with the necessary skills hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file. Arch Linux devs already rebuilt their FFmpeg packages without the AppleHTTP and HLS demuxers.

12 of 72 comments (clear)

  1. Very wide impact. by Anonymous+Psychopath · · Score: 5, Informative

    Ffmpeg is used in some capacity in just about every video application I can think of. VLC, Kodi/XBMC, MythTV, Handbrake, Plex...

    --

    Eagles may soar, but weasels don't get sucked into jet engines.

    1. Re:Very wide impact. by QuantumReality · · Score: 2

      And in Google Chrome, because i compiled it myself for Chromium

    2. Re:Very wide impact. by dissy · · Score: 4, Informative

      I think I'm going to remove the package until a new, fixed version comes out, or at least detailed information on how to migrate the vulnerability until a fix comes along.

      The article suggests a mitigation, however it sounds like it may just be easier to remove the package until your upstream provides updates...

      James Darnley of FFmpeg suggests that disabling HLS (HTTP Live Streaming) while building the package should do the trick until a fix is committed.
      It is also possible to fix the issue by rebuilding the FFmpeg packages without network support, using the --disable-network configure flag, but that seems a bit too much.

      A commenter in the arch bug report listing also says:

      Btw, one could also do --disable-demuxer='hls,applehttp', but rebuilding without network support looks like a more robust solution for now (until the issue is inspected and fixed upstream).

      https://bugs.archlinux.org/tas...

      My understanding is the specific bug reported in russian is exploited via HLS, however it is unconfirmed if the same method could be used and exploited in other network stream demuxers yet.

    3. Re:Very wide impact. by fluffernutter · · Score: 4, Interesting

      But the question is, how easy is it to end up playing a 'specially crafted file' if you're playing video in VLC or Kodi? I mean, understood that any website could have an ad video that plays and opens up this connection but what is the reality of the risk for standalone players?

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    4. Re:Very wide impact. by 110010001000 · · Score: 4, Informative

      Any video file that you torrent could now open you up for risk. That means about 99% of Kodi users.

    5. Re:Very wide impact. by squiggleslash · · Score: 2

      OTOH it's installed in far fewer places than people think. A hell of a lot of installations are of libav, where the CLI interface avconv has been softlinked with ffmpeg as an alias.

      Given the shared heritage between the two, I'd be curious to know whether the vulnerabilities are in both avconv and "original" ffmpeg.

      --
      You are not alone. This is not normal. None of this is normal.
  2. Re: why so hung up about arch? by Anonymous Coward · · Score: 3, Insightful

    Don't gentoo users choose their own build settings / features by default? What do you want the article to say? "Most gentoo users probably have the problem fixed by themselves already too but we don't really know?"

  3. FFmpegd by Anonymous Coward · · Score: 2, Funny

    Don't worry, Lennart is busy trying to absorb FFmpeg into systemd. Once there's some Poettering shitcode in FFmpeg, it'll cease to work at all and the vulnerability will have been neutralized.

    1. Re:FFmpegd by vel-ex-tech · · Score: 2

      It works pretty well for me at least. I don't use Exherbo's repos, but I've found paludis' correctness, while aggravating at time, to at least be correct in that it doesn't break my system in the weird ways Gentoo portage does.

      If you have a Gentoo box for 3 or 4 years, eventually it'll get weirdly broken with emerge. That's why I even sought out paludis.

  4. Re:Now this. This is news! by Anonymous+Psychopath · · Score: 3, Informative

    Whelp another good reason to have a decent firewall.

    Once you put a malformed video file on a system with a vulnerable ffmpeg, and ffmpeg is used to access the file, it makes an outbound connection. Most firewalls are configured to happily pass along anything originated from the inside network.

    --

    Eagles may soar, but weasels don't get sucked into jet engines.

  5. WTF by edittard · · Score: 4, Funny

    Submitted by prisoninmate. Presumably he's in for crimes against the English language.

    He's certainly familiar with really long sentences.

    --
    At the bottom of the /. main page it says 'Yesterday's News'. Well they got that right.
  6. Hosting conversion software by mcrbids · · Score: 2

    We use ffmpeg to process video files uploaded by customers. We'll be patching our app first thing in the morning. This is a big deal for us.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.