Note:
This project will be discontinued after December 13, 2021. [more]
2017-06-28
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
| Products | Debian_linux, Ffmpeg |
| Type | Information Exposure (CWE-200) |
| First patch |
https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021 |
| Relevant file/s | ./libavformat/hls.c (modified, +17, -1) |
| Links |
• https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb
• http://www.debian.org/security/2017/dsa-3957 • https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html • http://www.securityfocus.com/bid/99315 |
Navigation
Patch data:
Patched area:
(on by default)
Patched area: