The vulnerability was discovered on January 12, 2016, by Russian programmer Maxim Andreev in the current stable builds of the FFmpeg software, and it would appear that it allows anyone who has the necessary skills to hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file.
The vulnerability is limited to reading local files and sending them over the network, not to remote code execution, but it’s enough to do some damage. The FFmpeg developers are aware of the issue, and they are trying to patch it as we speak. James Darnley of FFmpeg suggests that disabling HLS (HTTP Live Streaming) while building the package should do the trick until a fix is committed.
“ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file – for example, KDE Dolphin thumbnail generation is enough. Desktop search indexers (i.e. baloo) could be affected. ffprobe is affected, basically all operations with file that involve ffmpeg reading it are affected,” reads an Arch Linux bug report submitted today.
Already patched in Arch Linux
We’ve been informed earlier today, January 13, 2016, that Arch Linux developers have already patched the FFmpeg 2.8.4 packages in the operating system by rebuilding them without the AppleHTTP and HLS demuxers. Therefore, all Arch Linux users are urged to update their FFmpeg packages to version 2.8.4-3. It is also possible to fix the issue by rebuilding the FFmpeg packages without network support, using the –disable-network configure flag, but that seems a bit too much.
We will update the article later today or tomorrow, when the FFmpeg team releases a patch or a new version of the software. Other GNU/Linux distributions should also rebuild the FFmpeg packages available in the default software repositories using the method explained above. All operating systems that use FFmeg 2.8.4 or previous versions are affected.