Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Jan 2016 02:59:05 -0500 (EST)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Fwd: FFmpeg: stealing local files with HLS+concat

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://habrahabr.ru/company/mailru/blog/274855

As far as we can tell, there are two distinct cross-origin issues
within FFmpeg's URL processing. Use CVE-2016-1897 for the concat issue
(which is fully described in the blog/274855 reference) and
CVE-2016-1898 for the subfile issue (which is mentioned but not
described in the blog/274855 reference).

The essential problem is that a crafted file forces the victim to
visit an arbitrary external URL, but this URL is constructed using
data from the victim's local filesystem.


> https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/web/super-turbo-atomic-gif-converter

This might describe a vulnerability, but we aren't sure whether the
access to file:///home/ctf/flag.txt is really unintended FFmpeg
behavior. This might be better modeled as a site-specific
vulnerability in the web service, because it should have arranged for
the file:///home/ctf/flag.txt URL to be interpreted within an
appropriately safe sandbox context.

Similarly, the reports of FFmpeg SSRF in blog/274855 might be better
modeled as site-specific vulnerabilities within the "online video
conversion" web application.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWl1TnAAoJEL54rhJi8gl57hIP/jkD+Hfa2TlpnCMaub2I4Nv7
w8Ij6n1DxQcHIEikSpzGzVjzFF5bM08+cnprML2T9mvv8LfIf9LTKhLA6eGA6o0Y
Fdx2Plk1gsz/8xG2+bQD/WWwAd0DU+UEPyg9gQ3uq8aCrQU5+umY3/k27FSnBoEw
/012zKOC/kA7bc3lvMVnEGXjkht48Pjbme4xi/7g8iKJ7Xgp0BJJMITsfUjGQ4wZ
qWXo1is5g6okqmxxCsxBi6z+HiD4rBYGPKLoykFhZKjbKKZVryu5o9IFmqV0Gcx3
Yr2qXq55X9VMfUYfwOEbr0khmNvOTWaCeVGRqNKicMrnQ2AuBln0xw0GSx/IC54a
x871TKEe1K5htx4rgA8yiyeg+HADKBnkBGBsxo9WIen/Jt12JuDQPSEjoWkelUsO
YHIOj4Bvg44aP0GLkPxDIFW4xSNc2SGUg22WJVsTaTxi07U0eUnMZLqxL0UbLJw2
NNIkGj0zCY/74helTqH6O+ZQ7pcePLA07DNiRNKjFp8V4do+MglXG63oVgNMRi5D
Ec89tB57B7ADRqv0k/+HQxa+K4Tur4s4U6ROCBuUxlbg4N/qzzePnJxB8g3ecKr0
rx791hkbmVqI27gtKdMEIK5GJwPQKsvx48wM3zq1aCiELnqzfuOReQihXs98+KwM
iVCG+PH+hIf4wO2Wq06i
=rHFW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ