• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Potential FFmpeg security vulnerability

Chris D

XenForo developer
Staff member
#1
It recently came to our attention that there is a potential vulnerability in FFmpeg which has the potential to be exploited via XenForo Media Gallery if you have FFmpeg features enabled (or are using any other code that uses FFmpeg).

The issue is exploitable by using a specially constructed video file which masquerades as a HTTP Live Streaming (HLS) M3U8 file which can use the "concat" protocol to read local files and leak them via an external HTTP request.

More details can be found by reading CVE-2016-1897 and CVE-2016-1898.

The bug has since been fixed in the following versions of FFmpeg:
  • 2.8.5
  • 2.7.5
  • 2.6.7
  • 2.5.10
These versions of FFmpeg were all released on January 16th 2016. If you installed FFmpeg before this date, you will almost certainly be using a vulnerable version.

It is recommended to compile the most current FFmpeg from source, which our guide here should help with:
https://xenforo.com/community/resources/compiling-ffmpeg-from-source.4536/

If you're unable to do that, you may instead wish to download the latest static build available here:
http://johnvansickle.com/ffmpeg/

If you're unable to do either of the above it is recommended to disable all FFmpeg functionality in XenForo Media Gallery (or other code that uses FFmpeg), at least temporarily (see below). You can disable FFmpeg in XFMG by removing the path to FFmpeg in the Gallery Options > Video Options tab.

As an added layer of protection for users of XenForo Media Gallery, the next release of XFMG includes code which should automatically reject any video files which could be used to exploit this bug, but upgrading FFmpeg remains the recommended solution.
 

eva2000

Well-known member
#2
Yup for Centmin Mod LEMP stack, FFMPEG github sourced compile latest FFMPEG + FFMPEG php extension with the workaround for this vulnerability https://community.centminmod.com/posts/24073/ :)

done back on Jan 14, 2016
Code:
ffmpeg version git-2016-01-14-62dfe1d Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 4.4.7 (GCC) 20120313 (Red Hat 4.4.7-16)
configuration: --prefix=/opt/ffmpeg --extra-cflags=-I/opt/ffmpeg/include --extra-ldflags=-L/opt/ffmpeg/lib --bindir=/opt/bin --pkg-config-flags=--static --enable-gpl --enable-nonfree --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-swscale --enable-shared --disable-network
libavutil 55. 13.100 / 55. 13.100
libavcodec 57. 22.100 / 57. 22.100
libavformat 57. 21.101 / 57. 21.101
libavdevice 57. 0.100 / 57. 0.100
libavfilter 6. 23.100 / 6. 23.100
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100
 

eva2000

Well-known member
#3
reinstalled from latest source now :D

Code:
--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu                
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 19
--------------------------------------------------------
Code:
--------------------------------------------------------
             FFMPEG Sub-Menu           
--------------------------------------------------------
1). Install FFMPEG Binary + FFMPEG PHP extension
2). Update FFMPEG Binary + FFMPEG PHP extension
3). Reinstall FFMPEG PHP extension
4). Back to Main menu
--------------------------------------------------------
Enter option [ 1 - 4 ] 1
--------------------------------------------------------
FFMPEG install
Code:
Installed FFMPEG at /opt/ffmpeg

ffmpeg version git-2016-01-27-74e8f4f Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 4.4.7 (GCC) 20120313 (Red Hat 4.4.7-16)
configuration: --prefix=/opt/ffmpeg --extra-cflags=-I/opt/ffmpeg/include --extra-ldflags=-L/opt/ffmpeg/lib --bindir=/opt/bin --pkg-config-flags=--static --enable-gpl --enable-nonfree --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-swscale --enable-shared
libavutil      55. 15.100 / 55. 15.100
libavcodec     57. 22.102 / 57. 22.102
libavformat    57. 23.100 / 57. 23.100
libavdevice    57.  0.100 / 57.  0.100
libavfilter     6. 27.100 /  6. 27.100
libswscale      4.  0.100 /  4.  0.100
libswresample   2.  0.101 /  2.  0.101
libpostproc    54.  0.100 / 54.  0.100
FFMPEG PHP extension
Code:
php --ri ffmpeg

ffmpeg

ffmpeg-php version => 0.7.0
ffmpeg-php built on => Jan 27 2016 13:05:29
ffmpeg-php gd support  => disabled
ffmpeg libavcodec version => Lavc57.22.102
ffmpeg libavcodec license => nonfree and unredistributable
ffmpeg libavformat version => Lavf57.23.100
ffmpeg libavformat license => nonfree and unredistributable
ffmpeg swscaler version => SwS4.0.100
ffmpeg swscaler license => nonfree and unredistributable
ffmpeg codec_list => a64multi(v), a64multi5(v), aasc(v), aic(v), alias_pix(v), alias_pix(v), amv(v), amv(v), anm(v), ansi(v), apng(v), apng(v), asv1(v), asv1(v), asv2(v), asv2(v), aura(v), aura2(v), avrp(v), avrp(v), avrn(v), avs(v), avui(v), avui(v), ayuv(v), ayuv(v), bethsoftvid(v), bfi(v), binkvideo(v), bmp(v), bmp(v), bmv_video(v), brender_pix(v), c93(v), cavs(v), cdgraphics(v), cdxl(v), cinepak(v), cinepak(v), cljr(v), cljr(v), cllc(v), comfortnoise(a), comfortnoise(a), cpia(v), camstudio(v), cyuv(v), dds(v), dfa(v), dirac(v), dnxhd(v), dnxhd(v), dpx(v), dpx(v), dsicinvideo(v), dvaudio(a), dvvideo(v), dvvideo(v), dxa(v), dxtory(v), dxv(v), eacmv(v), eamad(v), eatgq(v), eatgv(v), eatqi(v), 8bps(v), 8svx_exp(a), 8svx_fib(a), escape124(v), escape130(v), exr(v), ffv1(v), ffv1(v), ffvhuff(v), ffvhuff(v), fic(v), flashsv(v), flashsv(v), flashsv2(v), flashsv2(v), flic(v), flv(v), flv(v), 4xm(v), fraps(v), frwu(v), g2m(v), gif(v), gif(v), h261(v), h261(v), h263(v), h263(v), h263i(v), h263p(v), h263p(v), h264(v), hap(v), hevc(v), hnm4video(v), hq_hqa(v), hqx(v), huffyuv(v), huffyuv(v), idcinvideo(v), iff(v), indeo2(v), indeo3(v), indeo4(v), indeo5(v), interplayvideo(v), jpeg2000(v), jpeg2000(v), jpegls(v), jpegls(v), jv(v), kgv1(v), kmvc(v), lagarith(v), ljpeg(v), loco(v), mdec(v), mimic(v), mjpeg(v), mjpeg(v), mjpegb(v), mmvideo(v), motionpixels(v), mpeg1video(v), mpeg1video(v), mpeg2video(v), mpeg2video(v), mpeg4(v), mpeg4(v), mpegvideo(v), msa1(v), msmpeg4v1(v), msmpeg4v2(v), msmpeg4v2(v), msmpeg4(v), msmpeg4(v), msrle(v), mss1(v), mss2(v), msvideo1(v), msvideo1(v), mszh(v), mts2(v), mvc1(v), mvc2(v), mxpeg(v), nuv(v), paf_video(v), pam(v), pam(v), pbm(v), pbm(v), pcx(v), pcx(v), pgm(v), pgm(v), pgmyuv(v), pgmyuv(v), pictor(v), png(v), png(v), ppm(v), ppm(v), prores(v), prores(v), prores_aw(v), prores_ks(v), prores_lgpl(v), ptx(v), qdraw(v), qpeg(v), qtrle(v), qtrle(v), r10k(v), r10k(v), r210(v), r210(v), rawvideo(v), rawvideo(v), rl2(v), roqvideo(v), roqvideo(v), rpza(v), rscc(v), rv10(v), rv10(v), rv20(v), rv20(v), rv30(v), rv40(v), s302m(a), s302m(a), sanm(v), screenpresso(v), sdx2_dpcm(a), sgi(v), sgi(v), sgirle(v), smackvid(v), smc(v), smvjpeg(v), snow(v), snow(v), sp5x(v), sunrast(v), sunrast(v), svq1(v), svq1(v), svq3(v), targa(v), targa(v), targa_y216(v), tdsc(v), theora(v), thp(v), tiertexseqvideo(v), tiff(v), tiff(v), tmv(v), truemotion1(v), truemotion2(v), camtasia(v), tscc2(v), txd(v), ultimotion(v), utvideo(v), utvideo(v), v210(v), v210(v), v210x(v), v308(v), v308(v), v408(v), v408(v), v410(v), v410(v), vb(v), vble(v), vc1(v), vc1image(v), vcr1(v), vmdvideo(v), vmnc(v), vp3(v), vp5(v), vp6(v), vp6a(v), vp6f(v), vp7(v), vp8(v), vp9(v), vqavideo(v), webp(v), wrapped_avframe(v), wmv1(v), wmv1(v), wmv2(v), wmv2(v), wmv3(v), wmv3image(v), wnv1(v), xan_wc3(v), xan_wc4(v), xbm(v), xbm(v), xface(v), xface(v), xl(v), xwd(v), xwd(v), y41p(v), y41p(v), yop(v), yuv4(v), yuv4(v), 012v(v), zerocodec(v), zlib(v), zlib(v), zmbv(v), zmbv(v), aac(a), aac(a), aac_fixed(a), aac_latm(a), ac3(a), ac3(a), ac3_fixed(a), ac3_fixed(a), alac(a), alac(a), als(a), amrnb(a), amrwb(a), ape(a), atrac1(a), atrac3(a), atrac3plus(a), binkaudio_dct(a), binkaudio_rdft(a), bmv_audio(a), cook(a), dca(a), dca(a), dsd_lsbf(a), dsd_msbf(a), dsd_lsbf_planar(a), dsd_msbf_planar(a), dsicinaudio(a), dss_sp(a), eac3(a), eac3(a), evrc(a), wavesynth(a), flac(a), flac(a), g723_1(a), g723_1(a), g729(a), gsm(a), gsm_ms(a), iac(a), imc(a), interplayacm(a), mace3(a), mace6(a), metasound(a), mlp(a), mp1(a), mp1float(a), mp2(a), mp2(a), mp2float(a), mp2fixed(a), mp3(a), mp3float(a), mp3adu(a), mp3adufloat(a), mp3on4(a), mp3on4float(a), mpc7(a), mpc8(a), nellymoser(a), nellymoser(a), on2avc(a), opus(a), paf_audio(a), qcelp(a), qdm2(a), real_144(a), real_144(a), real_288(a), ralf(a), shorten(a), sipr(a), smackaud(a), sonic(a), sonic(a), sonicls(a), tak(a), truehd(a), truespeech(a), tta(a), tta(a), twinvq(a), vmdaudio(a), vorbis(a), vorbis(a), wavpack(a), wavpack(a), wmalossless(a), wmapro(a), wmav1(a), wmav1(a), wmav2(a), wmav2(a), wmavoice(a), ws_snd1(a), xma1(a), xma2(a), pcm_alaw(a), pcm_alaw(a), pcm_bluray(a), pcm_dvd(a), pcm_f32be(a), pcm_f32be(a), pcm_f32le(a), pcm_f32le(a), pcm_f64be(a), pcm_f64be(a), pcm_f64le(a), pcm_f64le(a), pcm_lxf(a), pcm_mulaw(a), pcm_mulaw(a), pcm_s8(a), pcm_s8(a), pcm_s8_planar(a), pcm_s8_planar(a), pcm_s16be(a), pcm_s16be(a), pcm_s16be_planar(a), pcm_s16be_planar(a), pcm_s16le(a), pcm_s16le(a), pcm_s16le_planar(a), pcm_s16le_planar(a), pcm_s24be(a), pcm_s24be(a), pcm_s24daud(a), pcm_s24daud(a), pcm_s24le(a), pcm_s24le(a), pcm_s24le_planar(a), pcm_s24le_planar(a), pcm_s32be(a), pcm_s32be(a), pcm_s32le(a), pcm_s32le(a), pcm_s32le_planar(a), pcm_s32le_planar(a), pcm_u8(a), pcm_u8(a), pcm_u16be(a), pcm_u16be(a), pcm_u16le(a), pcm_u16le(a), pcm_u24be(a), pcm_u24be(a), pcm_u24le(a), pcm_u24le(a), pcm_u32be(a), pcm_u32be(a), pcm_u32le(a), pcm_u32le(a), pcm_zork(a), interplay_dpcm(a), roq_dpcm(a), roq_dpcm(a), sol_dpcm(a), xan_dpcm(a), adpcm_4xm(a), adpcm_adx(a), adpcm_adx(a), adpcm_afc(a), adpcm_aica(a), adpcm_ct(a), adpcm_dtk(a), adpcm_ea(a), adpcm_ea_maxis_xa(a), adpcm_ea_r1(a), adpcm_ea_r2(a), adpcm_ea_r3(a), adpcm_ea_xas(a), g722(a), g722(a), g726(a), g726(a), g726le(a), adpcm_ima_amv(a), adpcm_ima_apc(a), adpcm_ima_dk3(a), adpcm_ima_dk4(a), adpcm_ima_ea_eacs(a), adpcm_ima_ea_sead(a), adpcm_ima_iss(a), adpcm_ima_oki(a), adpcm_ima_qt(a), adpcm_ima_qt(a), adpcm_ima_rad(a), adpcm_ima_smjpeg(a), adpcm_ima_wav(a), adpcm_ima_wav(a), adpcm_ima_ws(a), adpcm_ms(a), adpcm_ms(a), adpcm_psx(a), adpcm_sbpro_2(a), adpcm_sbpro_3(a), adpcm_sbpro_4(a), adpcm_swf(a), adpcm_swf(a), adpcm_thp(a), adpcm_thp_le(a), adpcm_vima(a), adpcm_xa(a), adpcm_yamaha(a), adpcm_yamaha(a), ssa(s), ssa(s), ass(s), ass(s), cc_dec(s), dvbsub(s), dvbsub(s), dvdsub(s), dvdsub(s), jacosub(s), microdvd(s), mov_text(s), mov_text(s), mpl2(s), pgssub(s), pjs(s), realtext(s), sami(s), srt(s), srt(s), stl(s), subrip(s), subrip(s), subviewer(s), subviewer1(s), text(s), text(s), vplayer(s), webvtt(s), webvtt(s), xsub(s), xsub(s), libfdk_aac(a), libfdk_aac(a), libmp3lame(a), libopus(a), libopus(a), libvorbis(a), libvorbis(a), libvpx(v), libvpx(v), libvpx-vp9(v), libvpx-vp9(v), libx264(v), libx264rgb(v), libx265(v), bintext(v), xbin(v), idf(v),

Directive => Local Value => Master Value
ffmpeg.allow_persistent => 0 => 0
ffmpeg.show_warnings => 0 => 0