Bugzilla – Bug 961937
VUL-0: CVE-2016-1897, CVE-2016-1898: FFmpeg, libav: Local file disclosure via HLS
Last modified: 2018-07-18 14:43:45 UTC
CVE-2016-1897 http://seclists.org/oss-sec/2016/q1/91 "As far as we can tell, there are two distinct cross-origin issues within FFmpeg's URL processing. Use CVE-2016-1897 for the concat issue (which is fully described in the blog/274855 reference) and CVE-2016-1898 for the subfile issue (which is mentioned but not described in the blog/274855 reference). The essential problem is that a crafted file forces the victim to visit an arbitrary external URL, but this URL is constructed using data from the victim's local filesystem." English translation of the original report: https://translate.google.com/translate?sl=ru&tl=en&u=http%3A%2F%2Fhabrahabr.ru%2Fcompany%2Fmailru%2Fblog%2F274855%2F References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1897 http://seclists.org/oss-sec/2016/q1/91
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (961937) was mentioned in https://build.opensuse.org/request/show/354498 42.1 / ffmpeg
Will you also provide submits for 13.2?
(In reply to Johannes Segitz from comment #3) > Will you also provide submits for 13.2? openSUSE:13.2:Update/libavutil
openSUSE-SU-2016:0243-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 961937 CVE References: CVE-2016-1897,CVE-2016-1898 Sources used: openSUSE Leap 42.1 (src): ffmpeg-2.8.5-12.1
openSUSE-SU-2016:0243-1: An update that fixes two vulnerabilities was made available.
This is an autogenerated message for OBS integration: This bug (961937) was mentioned in https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq