Date: Thu, 14 Jan 2016 02:59:05 -0500 (EST) From: cve-assign@...re.org To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Fwd: FFmpeg: stealing local files with HLS+concat -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > http://habrahabr.ru/company/mailru/blog/274855 As far as we can tell, there are two distinct cross-origin issues within FFmpeg's URL processing. Use CVE-2016-1897 for the concat issue (which is fully described in the blog/274855 reference) and CVE-2016-1898 for the subfile issue (which is mentioned but not described in the blog/274855 reference). The essential problem is that a crafted file forces the victim to visit an arbitrary external URL, but this URL is constructed using data from the victim's local filesystem. > https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/web/super-turbo-atomic-gif-converter This might describe a vulnerability, but we aren't sure whether the access to file:///home/ctf/flag.txt is really unintended FFmpeg behavior. This might be better modeled as a site-specific vulnerability in the web service, because it should have arranged for the file:///home/ctf/flag.txt URL to be interpreted within an appropriately safe sandbox context. Similarly, the reports of FFmpeg SSRF in blog/274855 might be better modeled as site-specific vulnerabilities within the "online video conversion" web application. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWl1TnAAoJEL54rhJi8gl57hIP/jkD+Hfa2TlpnCMaub2I4Nv7 w8Ij6n1DxQcHIEikSpzGzVjzFF5bM08+cnprML2T9mvv8LfIf9LTKhLA6eGA6o0Y Fdx2Plk1gsz/8xG2+bQD/WWwAd0DU+UEPyg9gQ3uq8aCrQU5+umY3/k27FSnBoEw /012zKOC/kA7bc3lvMVnEGXjkht48Pjbme4xi/7g8iKJ7Xgp0BJJMITsfUjGQ4wZ qWXo1is5g6okqmxxCsxBi6z+HiD4rBYGPKLoykFhZKjbKKZVryu5o9IFmqV0Gcx3 Yr2qXq55X9VMfUYfwOEbr0khmNvOTWaCeVGRqNKicMrnQ2AuBln0xw0GSx/IC54a x871TKEe1K5htx4rgA8yiyeg+HADKBnkBGBsxo9WIen/Jt12JuDQPSEjoWkelUsO YHIOj4Bvg44aP0GLkPxDIFW4xSNc2SGUg22WJVsTaTxi07U0eUnMZLqxL0UbLJw2 NNIkGj0zCY/74helTqH6O+ZQ7pcePLA07DNiRNKjFp8V4do+MglXG63oVgNMRi5D Ec89tB57B7ADRqv0k/+HQxa+K4Tur4s4U6ROCBuUxlbg4N/qzzePnJxB8g3ecKr0 rx791hkbmVqI27gtKdMEIK5GJwPQKsvx48wM3zq1aCiELnqzfuOReQihXs98+KwM iVCG+PH+hIf4wO2Wq06i =rHFW -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.