FS#47737 - [security] rebuild ffmpeg without network support until the vulnerability is fixed
Attached to Project:
Community Packages
Opened by Сковорода Никита (ChALkeR) - Wednesday, 13 January 2016, 10:34 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 13 January 2016, 15:31 GMT
Opened by Сковорода Никита (ChALkeR) - Wednesday, 13 January 2016, 10:34 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 13 January 2016, 15:31 GMT
|
Details
ffmpeg has a vulnerability in the current version that
allows the attacker to create a specially crafted video
file, downloading which will send files from a user PC to a
remote attacker server. The attack does not even require the
user to open that file — for example, KDE Dolphin thumbnail
generation is enough. Desktop search indexers (i.e. baloo)
could be affected. ffprobe is affected, basically all
operations with file that involve ffmpeg reading it are
affected.
The vulnerability is public (as public as it could be, it was on the index page of http://www.alexa.com/siteinfo/habrahabr.ru (and is now on page4 of the same site), has code samples and instructions on how to build a malicious file. The original blog post is in Russian: http://habrahabr.ru/company/mailru/blog/274855/, but you can use https://translate.yandex.com or https://translate.google.com to read it. Short English summary at https://news.ycombinator.com/item?id=10893301 The recommended work-around is to rebuild ffmpeg without network support (--disable-network configure flag) until the vulnerability is fixed upstream. |
This task depends upon
Closed by Doug Newgard (Scimmia)
Wednesday, 13 January 2016, 15:31 GMT
Reason for closing: Duplicate
Additional comments about closing: FS#47738
Wednesday, 13 January 2016, 15:31 GMT
Reason for closing: Duplicate
Additional comments about closing:
Comment by Doug Newgard (Scimmia) -
Wednesday, 13 January 2016, 15:31 GMT
Do not create duplicates in the future, let us fix the issue.