Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 14 Jan 2016 02:59:05 -0500 (EST)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Fwd: FFmpeg: stealing local files with HLS+concat

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://habrahabr.ru/company/mailru/blog/274855

As far as we can tell, there are two distinct cross-origin issues
within FFmpeg's URL processing. Use CVE-2016-1897 for the concat issue
(which is fully described in the blog/274855 reference) and
CVE-2016-1898 for the subfile issue (which is mentioned but not
described in the blog/274855 reference).

The essential problem is that a crafted file forces the victim to
visit an arbitrary external URL, but this URL is constructed using
data from the victim's local filesystem.


> https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/web/super-turbo-atomic-gif-converter

This might describe a vulnerability, but we aren't sure whether the
access to file:///home/ctf/flag.txt is really unintended FFmpeg
behavior. This might be better modeled as a site-specific
vulnerability in the web service, because it should have arranged for
the file:///home/ctf/flag.txt URL to be interpreted within an
appropriately safe sandbox context.

Similarly, the reports of FFmpeg SSRF in blog/274855 might be better
modeled as site-specific vulnerabilities within the "online video
conversion" web application.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWl1TnAAoJEL54rhJi8gl57hIP/jkD+Hfa2TlpnCMaub2I4Nv7
w8Ij6n1DxQcHIEikSpzGzVjzFF5bM08+cnprML2T9mvv8LfIf9LTKhLA6eGA6o0Y
Fdx2Plk1gsz/8xG2+bQD/WWwAd0DU+UEPyg9gQ3uq8aCrQU5+umY3/k27FSnBoEw
/012zKOC/kA7bc3lvMVnEGXjkht48Pjbme4xi/7g8iKJ7Xgp0BJJMITsfUjGQ4wZ
qWXo1is5g6okqmxxCsxBi6z+HiD4rBYGPKLoykFhZKjbKKZVryu5o9IFmqV0Gcx3
Yr2qXq55X9VMfUYfwOEbr0khmNvOTWaCeVGRqNKicMrnQ2AuBln0xw0GSx/IC54a
x871TKEe1K5htx4rgA8yiyeg+HADKBnkBGBsxo9WIen/Jt12JuDQPSEjoWkelUsO
YHIOj4Bvg44aP0GLkPxDIFW4xSNc2SGUg22WJVsTaTxi07U0eUnMZLqxL0UbLJw2
NNIkGj0zCY/74helTqH6O+ZQ7pcePLA07DNiRNKjFp8V4do+MglXG63oVgNMRi5D
Ec89tB57B7ADRqv0k/+HQxa+K4Tur4s4U6ROCBuUxlbg4N/qzzePnJxB8g3ecKr0
rx791hkbmVqI27gtKdMEIK5GJwPQKsvx48wM3zq1aCiELnqzfuOReQihXs98+KwM
iVCG+PH+hIf4wO2Wq06i
=rHFW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.