Tell HN: Ffmpeg vulnerability allows attacker to get files from server or PC

ffmpeg vulnerability allows reading local files and sending them over network using a specially crafted video file. This affects not only file conversion (including thumbnail generation), but also any other operations that involve ffmpeg processing your file — for example, ffprobe is affected.<p>This is not remote code execution, the vulnerability is limited to reading local files and sending them over network, but that is already bad enough.<p>For example, a specially crafted «video» file uploaded to your server by an attacker could read your website config&#x2F;private keys&#x2F;etc and send that to the attacker once you try to generate a thumbnail for it or just probe it with ffmpeg.<p>On a PC, you don&#x27;t even need to open a file to get affected, just downloading it would be enough in some cases — video files are processed with ffmpeg for filemanager thumbnails (i.e. KDE Dolphin), for search indexers, etc.<p>That vulnerability is public, has code samples to reproduce and build a malicious file, and is not fixed atm.<p>The recommended quick fix is to rebuild ffmpeg without network support (--disable-network configure flag).<p>Original post: http:&#x2F;&#x2F;habrahabr.ru&#x2F;company&#x2F;mailru&#x2F;blog&#x2F;274855&#x2F;<p>The original text is in Russian, use https:&#x2F;&#x2F;translate.yandex.com or https:&#x2F;&#x2F;translate.google.com&#x2F; to read it.