FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ffmpeg -- remote attacker can access local files

Affected packages
2.0,1 < ffmpeg < 2.8.5,1
mencoder < 1.2.r20151219_2
mplayer < 1.2.r20151219_2

Details

VuXML ID 046fedd1-bd01-11e5-bbf4-5404a68ad561
Discovery 2016-01-13
Entry 2016-01-17

Arch Linux reports:

ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file — for example, KDE Dolphin thumbnail generation is enough.

References

CVE Name CVE-2016-1897
CVE Name CVE-2016-1898
FreeBSD PR ports/206282
URL https://www.ffmpeg.org/security.html