Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#47737 - [security] rebuild ffmpeg without network support until the vulnerability is fixed

Attached to Project: Community Packages
Opened by Сковорода Никита (ChALkeR) - Wednesday, 13 January 2016, 10:34 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 13 January 2016, 15:31 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file — for example, KDE Dolphin thumbnail generation is enough. Desktop search indexers (i.e. baloo) could be affected. ffprobe is affected, basically all operations with file that involve ffmpeg reading it are affected.

The vulnerability is public (as public as it could be, it was on the index page of http://www.alexa.com/siteinfo/habrahabr.ru (and is now on page4 of the same site), has code samples and instructions on how to build a malicious file. The original blog post is in Russian: http://habrahabr.ru/company/mailru/blog/274855/, but you can use https://translate.yandex.com or https://translate.google.com to read it.

Short English summary at https://news.ycombinator.com/item?id=10893301

The recommended work-around is to rebuild ffmpeg without network support (--disable-network configure flag) until the vulnerability is fixed upstream.
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 13 January 2016, 15:31 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#47738 
Comment by Doug Newgard (Scimmia) - Wednesday, 13 January 2016, 15:31 GMT
Do not create duplicates in the future, let us fix the issue.

Loading...