Short English description:<p>ffmpeg vulnerability allows reading local files and sending them over network using a specially crafted video file. This affects not only file conversion (including thumbnail generation), but also any other operations that involve ffmpeg processing your file — for example, ffprobe is affected.
This is not remote code execution, the vulnerability is limited to reading local files and sending them over network, but that is already bad enough.<p>For example, a specially crafted «video» file uploaded to your server by an attacker could read your website config/private keys/etc and send that to the attacker once you try to generate a thumbnail for it or just probe it with ffmpeg.<p>On a PC, you don't even need to open a file to get affected, just downloading it would be enough in some cases — video files are processed with ffmpeg for filemanager thumbnails (i.e. KDE Dolphin), for search indexers, etc.<p>That vulnerability is public, has code samples to reproduce and build a malicious file, and is not fixed atm.<p>The recommended quick fix is to rebuild ffmpeg without network support (--disable-network configure flag).<p>Original post: <a href="http://habrahabr.ru/company/mailru/blog/274855/" rel="nofollow">http://habrahabr.ru/company/mailru/blog/274855/</a><p>The original text is in Russian, use <a href="https://translate.yandex.com" rel="nofollow">https://translate.yandex.com</a> or <a href="https://translate.google.com/" rel="nofollow">https://translate.google.com/</a> to read it.
Previosly posted as <a href="https://news.ycombinator.com/item?id=10893301" rel="nofollow">https://news.ycombinator.com/item?id=10893301</a>, but that eneded up in [ask] due to my mistake.
`brew install ffmpeg` does not appear to default build with network support, so mac is unlikely affected. Although I'm sure there are many mac apps that use ffmpeg and may have it compiled with network support.
Anyone running FFmpeg[1] on untrusted input without sandboxing of some kind is being extremely negligent. It's around a million lines of C that does tricky file format parsing and decoding. There will definitely be bugs in any given version, and some of those bugs will be exploitable.<p>[1] Or any related tool (ffprobe, etc.), or any tool that uses the libav* libraries, or really any non-trivial multimedia processing tool...