1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Potential FFmpeg security vulnerability

Discussion in 'Server Configuration and Hosting' started by Chris D, Jan 26, 2016.

  1. Chris D

    Chris D XenForo Developer Staff Member

    It recently came to our attention that there is a potential vulnerability in FFmpeg which has the potential to be exploited via XenForo Media Gallery if you have FFmpeg features enabled (or are using any other code that uses FFmpeg).

    The issue is exploitable by using a specially constructed video file which masquerades as a HTTP Live Streaming (HLS) M3U8 file which can use the "concat" protocol to read local files and leak them via an external HTTP request.

    More details can be found by reading CVE-2016-1897 and CVE-2016-1898.

    The bug has since been fixed in the following versions of FFmpeg:
    • 2.8.5
    • 2.7.5
    • 2.6.7
    • 2.5.10
    These versions of FFmpeg were all released on January 16th 2016. If you installed FFmpeg before this date, you will almost certainly be using a vulnerable version.

    It is recommended to compile the most current FFmpeg from source, which our guide here should help with:

    If you're unable to do that, you may instead wish to download the latest static build available here:

    If you're unable to do either of the above it is recommended to disable all FFmpeg functionality in XenForo Media Gallery (or other code that uses FFmpeg), at least temporarily (see below). You can disable FFmpeg in XFMG by removing the path to FFmpeg in the Gallery Options > Video Options tab.

    As an added layer of protection for users of XenForo Media Gallery, the next release of XFMG includes code which should automatically reject any video files which could be used to exploit this bug, but upgrading FFmpeg remains the recommended solution.
    Sunka, eva2000, batpool52! and 9 others like this.
  2. eva2000

    eva2000 Well-Known Member

    Yup for Centmin Mod LEMP stack, FFMPEG github sourced compile latest FFMPEG + FFMPEG php extension with the workaround for this vulnerability https://community.centminmod.com/posts/24073/ :)

    done back on Jan 14, 2016
    ffmpeg version git-2016-01-14-62dfe1d Copyright (c) 2000-2016 the FFmpeg developers
    built with gcc 4.4.7 (GCC) 20120313 (Red Hat 4.4.7-16)
    configuration: --prefix=/opt/ffmpeg --extra-cflags=-I/opt/ffmpeg/include --extra-ldflags=-L/opt/ffmpeg/lib --bindir=/opt/bin --pkg-config-flags=--static --enable-gpl --enable-nonfree --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-swscale --enable-shared --disable-network
    libavutil 55. 13.100 / 55. 13.100
    libavcodec 57. 22.100 / 57. 22.100
    libavformat 57. 21.101 / 57. 21.101
    libavdevice 57. 0.100 / 57. 0.100
    libavfilter 6. 23.100 / 6. 23.100
    libswscale 4. 0.100 / 4. 0.100
    libswresample 2. 0.101 / 2. 0.101
    libpostproc 54. 0.100 / 54. 0.100
    Sunka, Chris D and NixFifty like this.
  3. eva2000

    eva2000 Well-Known Member

    reinstalled from latest source now :D

    Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
                       Centmin Mod Menu                
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + WP Super Cache
    23). Update Centmin Mod Code Base
    24). Exit
    Enter option [ 1 - 24 ] 19
                 FFMPEG Sub-Menu           
    1). Install FFMPEG Binary + FFMPEG PHP extension
    2). Update FFMPEG Binary + FFMPEG PHP extension
    3). Reinstall FFMPEG PHP extension
    4). Back to Main menu
    Enter option [ 1 - 4 ] 1
    FFMPEG install
    Installed FFMPEG at /opt/ffmpeg
    ffmpeg version git-2016-01-27-74e8f4f Copyright (c) 2000-2016 the FFmpeg developers
    built with gcc 4.4.7 (GCC) 20120313 (Red Hat 4.4.7-16)
    configuration: --prefix=/opt/ffmpeg --extra-cflags=-I/opt/ffmpeg/include --extra-ldflags=-L/opt/ffmpeg/lib --bindir=/opt/bin --pkg-config-flags=--static --enable-gpl --enable-nonfree --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-swscale --enable-shared
    libavutil      55. 15.100 / 55. 15.100
    libavcodec     57. 22.102 / 57. 22.102
    libavformat    57. 23.100 / 57. 23.100
    libavdevice    57.  0.100 / 57.  0.100
    libavfilter     6. 27.100 /  6. 27.100
    libswscale      4.  0.100 /  4.  0.100
    libswresample   2.  0.101 /  2.  0.101
    libpostproc    54.  0.100 / 54.  0.100
    FFMPEG PHP extension
    php --ri ffmpeg
    ffmpeg-php version => 0.7.0
    ffmpeg-php built on => Jan 27 2016 13:05:29
    ffmpeg-php gd support  => disabled
    ffmpeg libavcodec version => Lavc57.22.102
    ffmpeg libavcodec license => nonfree and unredistributable
    ffmpeg libavformat version => Lavf57.23.100
    ffmpeg libavformat license => nonfree and unredistributable
    ffmpeg swscaler version => SwS4.0.100
    ffmpeg swscaler license => nonfree and unredistributable
    ffmpeg codec_list => a64multi(v), a64multi5(v), aasc(v), aic(v), alias_pix(v), alias_pix(v), amv(v), amv(v), anm(v), ansi(v), apng(v), apng(v), asv1(v), asv1(v), asv2(v), asv2(v), aura(v), aura2(v), avrp(v), avrp(v), avrn(v), avs(v), avui(v), avui(v), ayuv(v), ayuv(v), bethsoftvid(v), bfi(v), binkvideo(v), bmp(v), bmp(v), bmv_video(v), brender_pix(v), c93(v), cavs(v), cdgraphics(v), cdxl(v), cinepak(v), cinepak(v), cljr(v), cljr(v), cllc(v), comfortnoise(a), comfortnoise(a), cpia(v), camstudio(v), cyuv(v), dds(v), dfa(v), dirac(v), dnxhd(v), dnxhd(v), dpx(v), dpx(v), dsicinvideo(v), dvaudio(a), dvvideo(v), dvvideo(v), dxa(v), dxtory(v), dxv(v), eacmv(v), eamad(v), eatgq(v), eatgv(v), eatqi(v), 8bps(v), 8svx_exp(a), 8svx_fib(a), escape124(v), escape130(v), exr(v), ffv1(v), ffv1(v), ffvhuff(v), ffvhuff(v), fic(v), flashsv(v), flashsv(v), flashsv2(v), flashsv2(v), flic(v), flv(v), flv(v), 4xm(v), fraps(v), frwu(v), g2m(v), gif(v), gif(v), h261(v), h261(v), h263(v), h263(v), h263i(v), h263p(v), h263p(v), h264(v), hap(v), hevc(v), hnm4video(v), hq_hqa(v), hqx(v), huffyuv(v), huffyuv(v), idcinvideo(v), iff(v), indeo2(v), indeo3(v), indeo4(v), indeo5(v), interplayvideo(v), jpeg2000(v), jpeg2000(v), jpegls(v), jpegls(v), jv(v), kgv1(v), kmvc(v), lagarith(v), ljpeg(v), loco(v), mdec(v), mimic(v), mjpeg(v), mjpeg(v), mjpegb(v), mmvideo(v), motionpixels(v), mpeg1video(v), mpeg1video(v), mpeg2video(v), mpeg2video(v), mpeg4(v), mpeg4(v), mpegvideo(v), msa1(v), msmpeg4v1(v), msmpeg4v2(v), msmpeg4v2(v), msmpeg4(v), msmpeg4(v), msrle(v), mss1(v), mss2(v), msvideo1(v), msvideo1(v), mszh(v), mts2(v), mvc1(v), mvc2(v), mxpeg(v), nuv(v), paf_video(v), pam(v), pam(v), pbm(v), pbm(v), pcx(v), pcx(v), pgm(v), pgm(v), pgmyuv(v), pgmyuv(v), pictor(v), png(v), png(v), ppm(v), ppm(v), prores(v), prores(v), prores_aw(v), prores_ks(v), prores_lgpl(v), ptx(v), qdraw(v), qpeg(v), qtrle(v), qtrle(v), r10k(v), r10k(v), r210(v), r210(v), rawvideo(v), rawvideo(v), rl2(v), roqvideo(v), roqvideo(v), rpza(v), rscc(v), rv10(v), rv10(v), rv20(v), rv20(v), rv30(v), rv40(v), s302m(a), s302m(a), sanm(v), screenpresso(v), sdx2_dpcm(a), sgi(v), sgi(v), sgirle(v), smackvid(v), smc(v), smvjpeg(v), snow(v), snow(v), sp5x(v), sunrast(v), sunrast(v), svq1(v), svq1(v), svq3(v), targa(v), targa(v), targa_y216(v), tdsc(v), theora(v), thp(v), tiertexseqvideo(v), tiff(v), tiff(v), tmv(v), truemotion1(v), truemotion2(v), camtasia(v), tscc2(v), txd(v), ultimotion(v), utvideo(v), utvideo(v), v210(v), v210(v), v210x(v), v308(v), v308(v), v408(v), v408(v), v410(v), v410(v), vb(v), vble(v), vc1(v), vc1image(v), vcr1(v), vmdvideo(v), vmnc(v), vp3(v), vp5(v), vp6(v), vp6a(v), vp6f(v), vp7(v), vp8(v), vp9(v), vqavideo(v), webp(v), wrapped_avframe(v), wmv1(v), wmv1(v), wmv2(v), wmv2(v), wmv3(v), wmv3image(v), wnv1(v), xan_wc3(v), xan_wc4(v), xbm(v), xbm(v), xface(v), xface(v), xl(v), xwd(v), xwd(v), y41p(v), y41p(v), yop(v), yuv4(v), yuv4(v), 012v(v), zerocodec(v), zlib(v), zlib(v), zmbv(v), zmbv(v), aac(a), aac(a), aac_fixed(a), aac_latm(a), ac3(a), ac3(a), ac3_fixed(a), ac3_fixed(a), alac(a), alac(a), als(a), amrnb(a), amrwb(a), ape(a), atrac1(a), atrac3(a), atrac3plus(a), binkaudio_dct(a), binkaudio_rdft(a), bmv_audio(a), cook(a), dca(a), dca(a), dsd_lsbf(a), dsd_msbf(a), dsd_lsbf_planar(a), dsd_msbf_planar(a), dsicinaudio(a), dss_sp(a), eac3(a), eac3(a), evrc(a), wavesynth(a), flac(a), flac(a), g723_1(a), g723_1(a), g729(a), gsm(a), gsm_ms(a), iac(a), imc(a), interplayacm(a), mace3(a), mace6(a), metasound(a), mlp(a), mp1(a), mp1float(a), mp2(a), mp2(a), mp2float(a), mp2fixed(a), mp3(a), mp3float(a), mp3adu(a), mp3adufloat(a), mp3on4(a), mp3on4float(a), mpc7(a), mpc8(a), nellymoser(a), nellymoser(a), on2avc(a), opus(a), paf_audio(a), qcelp(a), qdm2(a), real_144(a), real_144(a), real_288(a), ralf(a), shorten(a), sipr(a), smackaud(a), sonic(a), sonic(a), sonicls(a), tak(a), truehd(a), truespeech(a), tta(a), tta(a), twinvq(a), vmdaudio(a), vorbis(a), vorbis(a), wavpack(a), wavpack(a), wmalossless(a), wmapro(a), wmav1(a), wmav1(a), wmav2(a), wmav2(a), wmavoice(a), ws_snd1(a), xma1(a), xma2(a), pcm_alaw(a), pcm_alaw(a), pcm_bluray(a), pcm_dvd(a), pcm_f32be(a), pcm_f32be(a), pcm_f32le(a), pcm_f32le(a), pcm_f64be(a), pcm_f64be(a), pcm_f64le(a), pcm_f64le(a), pcm_lxf(a), pcm_mulaw(a), pcm_mulaw(a), pcm_s8(a), pcm_s8(a), pcm_s8_planar(a), pcm_s8_planar(a), pcm_s16be(a), pcm_s16be(a), pcm_s16be_planar(a), pcm_s16be_planar(a), pcm_s16le(a), pcm_s16le(a), pcm_s16le_planar(a), pcm_s16le_planar(a), pcm_s24be(a), pcm_s24be(a), pcm_s24daud(a), pcm_s24daud(a), pcm_s24le(a), pcm_s24le(a), pcm_s24le_planar(a), pcm_s24le_planar(a), pcm_s32be(a), pcm_s32be(a), pcm_s32le(a), pcm_s32le(a), pcm_s32le_planar(a), pcm_s32le_planar(a), pcm_u8(a), pcm_u8(a), pcm_u16be(a), pcm_u16be(a), pcm_u16le(a), pcm_u16le(a), pcm_u24be(a), pcm_u24be(a), pcm_u24le(a), pcm_u24le(a), pcm_u32be(a), pcm_u32be(a), pcm_u32le(a), pcm_u32le(a), pcm_zork(a), interplay_dpcm(a), roq_dpcm(a), roq_dpcm(a), sol_dpcm(a), xan_dpcm(a), adpcm_4xm(a), adpcm_adx(a), adpcm_adx(a), adpcm_afc(a), adpcm_aica(a), adpcm_ct(a), adpcm_dtk(a), adpcm_ea(a), adpcm_ea_maxis_xa(a), adpcm_ea_r1(a), adpcm_ea_r2(a), adpcm_ea_r3(a), adpcm_ea_xas(a), g722(a), g722(a), g726(a), g726(a), g726le(a), adpcm_ima_amv(a), adpcm_ima_apc(a), adpcm_ima_dk3(a), adpcm_ima_dk4(a), adpcm_ima_ea_eacs(a), adpcm_ima_ea_sead(a), adpcm_ima_iss(a), adpcm_ima_oki(a), adpcm_ima_qt(a), adpcm_ima_qt(a), adpcm_ima_rad(a), adpcm_ima_smjpeg(a), adpcm_ima_wav(a), adpcm_ima_wav(a), adpcm_ima_ws(a), adpcm_ms(a), adpcm_ms(a), adpcm_psx(a), adpcm_sbpro_2(a), adpcm_sbpro_3(a), adpcm_sbpro_4(a), adpcm_swf(a), adpcm_swf(a), adpcm_thp(a), adpcm_thp_le(a), adpcm_vima(a), adpcm_xa(a), adpcm_yamaha(a), adpcm_yamaha(a), ssa(s), ssa(s), ass(s), ass(s), cc_dec(s), dvbsub(s), dvbsub(s), dvdsub(s), dvdsub(s), jacosub(s), microdvd(s), mov_text(s), mov_text(s), mpl2(s), pgssub(s), pjs(s), realtext(s), sami(s), srt(s), srt(s), stl(s), subrip(s), subrip(s), subviewer(s), subviewer1(s), text(s), text(s), vplayer(s), webvtt(s), webvtt(s), xsub(s), xsub(s), libfdk_aac(a), libfdk_aac(a), libmp3lame(a), libopus(a), libopus(a), libvorbis(a), libvorbis(a), libvpx(v), libvpx(v), libvpx-vp9(v), libvpx-vp9(v), libx264(v), libx264rgb(v), libx265(v), bintext(v), xbin(v), idf(v),
    Directive => Local Value => Master Value
    ffmpeg.allow_persistent => 0 => 0
    ffmpeg.show_warnings => 0 => 0
    Sunka likes this.

Share This Page