Bug#811519: vlc: avio plugin leaks file content
Rémi Denis-Courmont
remi at remlab.net
Tue Jan 19 19:32:12 UTC 2016
On Tuesday 19 January 2016 19:06:54 Andreas Cadhalpun wrote:
> On 19.01.2016 17:27, Sebastian Ramacher wrote:
> > On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote:
> >> With a carefully crafted URL, the VLC avio plugin can be made to leak
> >> content of local files to remote parties.
> >> The root cause is the same as CVE-2016-1897.
> >>
> >> See also:
> >>
> >> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html
> >
> > There is nothing to be done in the vlc package. Reassigning to ffmpeg. It
> > needs to be built with --disable-protocol=concat.
>
> How is CVE-2016-1897 not fully fixed?
>
> Rémi, please share details about any remaining vulnerability with
> <ffmpeg-security at ffmpeg.org>.
This is a VLC vulnerability and I can´t share it with my own self. Besides the
underlying issue has already been discussed with upstream libav.
There is plenty of information available already to reproduce the problem. I
don´t want to publish an exact proof-of-concept against "my" own software,
especially not before VLC 2.2.2 gets released.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the pkg-multimedia-maintainers
mailing list