Ffmpeg Vulnerability

>>52432162
*If anyone can successfully make a webm using this vulnerability, please use it on /b/ and tell us about it.

>>52432171
sounds like all it does is put data from arbitrary files into the video data, which means at best it could be used to copy files from the 4chan servers.

What can it do?

Does this effect mpv?
I think this vulnerability poses more threats to server using ffmplay, than a regular user.
Also why would one enable network for an encoder application?

>>52432162
I just read through the code. Pretty easy bug. weird that it executes it from the exif.

How do I know if I'm at risk?

>>52433027
mpv links libavformat so your meme player is affected as well

What if I don't have ffmpeg installed on my computer?

>specially crafted «video» file uploaded to your server by an attacker could read your website config/private keys/etc and send that to the attacker once you try to generate a thumbnail for it or just probe it with ffmpeg.
>Server
Why would I install ffmpeg on my server in the first place?

>>52434218
if you run a media server senpai

Why is this a big deal?
MPV isn't affected.
FFMPEG for the regular user isn't a major threat.

>>52434403
Because open source is cancer. This bug wouldn't be a problem if all software was closed source.

>>52434986
>This bug wouldn't be a problem if all software was closed source.
If it was closed source we'd have your nudes by now.

File: 1418582712189.png (463KB, 556x841px) Image search: [Google]

463KB, 556x841px

How to know if network is enabled in ffmpeg?

>>52435298
you do realize this doesn't fix the exploit people can still trash your computer by sending non networked malicious code

>>52435298
It is enabled by default assuming your package manager compiled it with default options.

File: Totally safe webm.webm (723KB, 853x480px) Image search: [Google]

723KB, 853x480px

>>52435316
That's what I don't get, this exploit only works IF you save the file containing the malicious code.
Right?
If so it shouldn't make much of a concern to regular users.
>>52435322
On arch, libavformat 56. 40.101 / 56. 40.101
I'm pretty much vulnerable.
But to how much?On linux it can only do much until you'll require root permissions.

>>52435407

Jesus what an animated piece of fucking shit, was this made at north korea or something?

>>52435407
>That's what I don't get, this exploit only works IF you save the file containing the malicious code.
That's how I think this works.

>>52435554
And using ffmpeg to view the exif info.
In other words, simply using MAT will solve it.

>mfw there was a chromium ffmpeg plugin in the repository but I passed up on it
*wipes sweat*

>>52435627
How would that effect you?

>>52435739
uhhh did you read the links above?

>>52432162
>russian exposes bug
>people panic
>russian uploads a "fix" with mdore bugs in it
>people thinks ita safe

>>52435819
>downloading which will send files from a user PC to a remote attacker server.

>>52435907
>implying the webm's aren't cached in the disk

>>52436490
>Caching into disk
Why would you do that?

>>52432162
CHRIST ALMIGHTY THIS CANT END GOOD

>>52436624
It's the browser doing it....

>>52436643
You can set it to where ever you want.
Why don't you set it to ram?
Not only it will speed up the browser.
It will protect against such attacks.

>>52436921
>Install a codec I don't need and put the effort to make sure it's saved somewhere else
kek

>>52434403
>YouTube
I'm not any sort of expert, but I wouldn't be the least bit surprised I'd they use ffmpeg

>>52437017
>installing codec
>>52437069
>Downloading youtube
that would be some serious hoarding issue.

>>52437258
I thought the exploit was executed on a server?

>craft file with exploit
>upload to YouTube
>YouTube runs your upload through ffmpeg, tweaking resolution or whatever it does
>script executes
>grab private keys or whatever
>upload to (for lack of immediately better term, hacker)
>YouTube private keys obtained

>>52437311
Yeah, the exploit is just that script is being executed in a video file from the exif data.
In theory simpling removing the exif data through tools like MAT can render the exploit useless.
And even then it effects servers running ffmpeg rather than common user.
And since the exploit is executed when ffmpeg tries to read the file, simply removing ffmpeg related packages is a sure way to prevent it.
What I don't understand is how MPV come to play, doesn't it uses libmpv?

>>52437311
Lol, as if YouTube servers are LAMP system

>>52437487
Excuse me, but what you are referring to lamp is actually GNU/LAMP, or as I've recently taken to calling it, GNU + LAMP and GLAMP.

http://www.gnu.org/philosophy/words-to-avoid.en.html#LAMP

But you're right, they may not be at all.

>>52432162

>mfw every software i have uses/depends on ffmpeg

i guess i should take a break from music for a few days

Aren't we blowing this out of proportion?
Just like heart bleed and BADUSB.

>>52435407
Ik that file managers can display thumbnails for files on network volumes. So practically invulnerable i guess.

so someone can get my ip just because i openeded a video file?
fuck, if NSA/FBI got ahold of this, its all over

>>52434052
Still vulnerable.

>>52440887
pedo detected

>>52441169

pedo detector detected

>>52441784
pedo detector detector detected