Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#47738 - [ffmpeg] rebuild without network support until the vulnerability is fixed
Attached to Project:
Arch Linux
Opened by Сковорода Никита (ChALkeR) - Wednesday, 13 January 2016, 11:14 GMT
Last edited by Maxime Gauduin (Alucryd) - Friday, 15 January 2016, 19:44 GMT
Opened by Сковорода Никита (ChALkeR) - Wednesday, 13 January 2016, 11:14 GMT
Last edited by Maxime Gauduin (Alucryd) - Friday, 15 January 2016, 19:44 GMT
|
Detailsffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file — for example, KDE Dolphin thumbnail generation is enough. Desktop search indexers (i.e. baloo) could be affected. ffprobe is affected, basically all operations with file that involve ffmpeg reading it are affected.
The vulnerability is public (as public as it could be, it was on the index page of http://www.alexa.com/siteinfo/habrahabr.ru (and is now on page4 of the same site), has code samples and instructions on how to build a malicious file. The original blog post is in Russian: http://habrahabr.ru/company/mailru/blog/274855/, but you can use https://translate.yandex.com or https://translate.google.com to read it. Short English summary at https://news.ycombinator.com/item?id=10893301 The recommended work-around is to rebuild ffmpeg without network support (--disable-network configure flag) until the vulnerability is fixed upstream. |
This task depends upon
Closed by Maxime Gauduin (Alucryd)
Friday, 15 January 2016, 19:44 GMT
Reason for closing: Fixed
Additional comments about closing: 1:2.8.4-4
Friday, 15 January 2016, 19:44 GMT
Reason for closing: Fixed
Additional comments about closing: 1:2.8.4-4
And this issue also applies to libav and so on.
I did not do that, and I did not even try rebuilding with hls,applehttp disabled.
Is there a mailing list archive or a bug report about this statement?
[1] https://github.com/FFmpeg/FFmpeg/commit/cfda1bea4c18ec1edbc11ecc465f788b02851488
[2] https://github.com/FFmpeg/FFmpeg/commit/6ba42b6482c725a59eb468391544dc0c75b8c6f0
[3] https://github.com/rg3/youtube-dl/issues/8242