Bug#811519: vlc: avio plugin leaks file content
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Tue Jan 19 18:06:54 UTC 2016
Control: tags -1 = moreinfo
Control: severity -1 important
Hi,
On 19.01.2016 17:27, Sebastian Ramacher wrote:
> On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote:
>> With a carefully crafted URL, the VLC avio plugin can be made to leak
>> content of local files to remote parties.
>> The root cause is the same as CVE-2016-1897.
>>
>> See also:
>>
>> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html
>
> There is nothing to be done in the vlc package. Reassigning to ffmpeg. It needs
> to be built with --disable-protocol=concat.
How is CVE-2016-1897 not fully fixed?
Rémi, please share details about any remaining vulnerability with
<ffmpeg-security at ffmpeg.org>.
Best regards,
Andreas
More information about the pkg-multimedia-maintainers
mailing list