Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Jan 2016 14:01:55 +0300
From: Vladimir Dubrovin <>
Subject: Fwd: FFmpeg: stealing local files with HLS+concat

---------- Forwarded message ----------
From: Максим Андреев <>
Date: 13 January 2016 at 13:41
Subject: FFmpeg: stealing local files with HLS+concat

I found some strange behavior in ffmpeg which can lead to stealing local
files during ffmpeg/ffprobe exec, it's also applied to libav.

I've underestimated the impact of this bug, so it was full disclosured
in this article (Russian language, but google translate works fine with
it) -

In short:
if linux user download specially prepared video file (with any
extension: avi/mov/etc..) which contains HLS m3u8 playlist with "concat"
protocol in url:,


If user launches ffmpeg-based video player (MPlayer, etc..), first line
of /etc/passwd will be sent to in $FreeBSD: release/100.0/et..  request.
The same happens when file manager tries to generate thumbnail for this

All this can be applied to server-run ffmpeg during video conversion.
FFmpeg/libav security teams are already notified, but official patches
are not available yet, so you can rebuild ffmpeg with --disable-network
configure option which prevents this vulnerability from being exploited.

Moreover, it's always recommended to run ffmpeg in isolated environment
when processing untrusted files

Maxim Andreev

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.