Bug#811519: vlc: avio plugin leaks file content

Rémi Denis-Courmont remi at remlab.net
Tue Jan 19 19:32:12 UTC 2016


On Tuesday 19 January 2016 19:06:54 Andreas Cadhalpun wrote:
> On 19.01.2016 17:27, Sebastian Ramacher wrote:
> > On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote:
> >> With a carefully crafted URL, the VLC avio plugin can be made to leak
> >> content of local files to remote parties.
> >> The root cause is the same as CVE-2016-1897.
> >> 
> >> See also:
> >> 
> >> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html
> > 
> > There is nothing to be done in the vlc package. Reassigning to ffmpeg. It
> > needs to be built with --disable-protocol=concat.
> 
> How is CVE-2016-1897 not fully fixed?
> 
> Rémi, please share details about any remaining vulnerability with
> <ffmpeg-security at ffmpeg.org>.

This is a VLC vulnerability and I can´t share it with my own self. Besides the 
underlying issue has already been discussed with upstream libav.

There is plenty of information available already to reproduce the problem. I 
don´t want to publish an exact proof-of-concept against "my" own software, 
especially not before VLC 2.2.2 gets released.

-- 
Rémi Denis-Courmont
http://www.remlab.net/



More information about the pkg-multimedia-maintainers mailing list