ffmpeg allows Server-Side Request Forgery attack

For read full file just switch from 'concat' to 'subfile' as I understood.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

CVE-2016-1897 (concat) and CVE-2016-1898 (subfile) were assigned to this bug, which (among other potentially security relevant issues) is fixed in FFmpeg 2.7.5 (the lines below starting with avformat/hls refer to this bug).

Attached is a debdiff. (git repo is at [1])

Testing performed (in a wily chroot):
 * build including test suite works
 * installation works
 * upgrade works
 * autopkgtests pass

From the upstream Changelog:

version 2.7.5
- configure: bump copyright year to 2016
- avformat/hls: Even stricter URL checks
- avformat/hls: More strict url checks
- swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls
- swscale/yuv2rgb: Increase YUV2RGB table headroom
- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out
- avformat/hls: forbid all protocols except http(s) & file
- avformat/aviobuf: Fix end check in put_str16()
- avformat/asfenc: Check pts
- avcodec/mpeg4video: Check time_incr
- avcodec/wavpackenc: Check the number of channels
- avcodec/wavpackenc: Headers are per channel
- avcodec/aacdec_template: Check id_map
- avcodec/dvdec: Fix "left shift of negative value -254"
- avcodec/mjpegdec: Fix negative shift
- avcodec/mss2: Check for repeat overflow
- avformat: Add integer fps from 31 to 60 to get_std_framerate()
- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range
- avfilter/vf_scale: set proper out frame color range
- avcodec/motion_est: Fix mv_penalty table size
- avcodec/h264_slice: Fix integer overflow in implicit weight computation
- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions
- avcodec/put_bits: Always check buffer end before writing
- mjpegdec: extend check for incompatible values of s->rgb and s->ls
- swscale/utils: Fix intermediate format for cascaded alpha downscaling
- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse
- avfilter/vf_zoompan: do not free frame we pushed to lavfi

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=wily

ACK on the debdiff in comment #3. Packages are building now and will be released as a security update today. Thanks!

Thank you, guys
Is it also fixed another packages like Mplayer or KDE Baloo?

This bug was fixed in the package ffmpeg - 7:2.7.5-0ubuntu0.15.10.1

---------------
ffmpeg (7:2.7.5-0ubuntu0.15.10.1) wily-security; urgency=medium

  * Import new upstream bugfix release 2.7.5.
     - Fixes CVE-2016-1897 and CVE-2016-1898. (LP: #1533367)

 -- Andreas Cadhalpun <email address hidden> Fri, 15 Jan 2016 21:05:04 +0100

Filipp, if an issue is fixed in libavformat it doesn't affect programs using this dynamic library (like mplayer) anymore, once they have been restarted after libavformat has been upgraded.

To fix this issue in xenial, 2.8.5-1 needs to be merged from Debian/unstable.

Attached is a debdiff for vivid. (git repo is at [1])

Testing performed (in a vivid chroot):
 * build including test suite works
 * installation works
 * upgrade works
 * no regression in the autopkgtests from 2.8.5-1

From the upstream Changelog:

version 2.5.10
- configure: bump copyright year to 2016
- avformat/hls: Even stricter URL checks
- avformat/hls: More strict url checks
- swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls
- swscale/yuv2rgb: Increase YUV2RGB table headroom
- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out
- avformat/hls: forbid all protocols except http(s) & file
- avformat/aviobuf: Fix end check in put_str16()
- avformat/asfenc: Check pts
- avcodec/mpeg4video: Check time_incr
- avcodec/wavpackenc: Check the number of channels
- avcodec/wavpackenc: Headers are per channel
- avcodec/dvdec: Fix "left shift of negative value -254"
- avcodec/mjpegdec: Fix negative shift
- avcodec/mss2: Check for repeat overflow
- avformat: Add integer fps from 31 to 60 to get_std_framerate()
- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range
- avfilter/vf_scale: set proper out frame color range
- avcodec/motion_est: Fix mv_penalty table size
- avcodec/h264_slice: Fix integer overflow in implicit weight computation
- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions
- avcodec/put_bits: Always check buffer end before writing
- mjpegdec: extend check for incompatible values of s->rgb and s->ls
- swscale/utils: Fix intermediate format for cascaded alpha downscaling
- avcodec/h264_refs: Fix long_idx check
- avfilter/vf_mpdecimate: Add missing emms_c()
- avformat/mxfenc: Do not crash if there is no packet in the first stream
- avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec
- avformat/matroskaenc: Check codecdelay before use
- avutil/mathematics: Fix division by 0
- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse
- avcodec/mpeg4videodec: also for empty partitioned slices
- nuv: sanitize negative fps rate
- rawdec: only exempt BIT0 with need_copy from buffer sanity check
- mlvdec: check that index_entries exist
- nutdec: reject negative value_len in read_sm_data
- xwddec: prevent overflow of lsize * avctx->height
- nutdec: only copy the header if it exists
- exr: fix out of bounds read in get_code
- on2avc: limit number of bits to 30 in get_egolomb
- sonic: make sure num_taps * channels is not larger than frame_size
- opus_silk: fix typo causing overflow in silk_stabilize_lsf
- ffm: reject invalid codec_id and codec_type
- aaccoder: prevent crash of anmr coder
- ffmdec: reject zero-sized chunks
- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE*
- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride

1: https://anonscm.debian.org/cgit/c...

ACK on the debdiff in comment #7. Package is building now and will be released as a security update today. Thanks!

This bug was fixed in the package ffmpeg - 7:2.5.10-0ubuntu0.15.04.1

---------------
ffmpeg (7:2.5.10-0ubuntu0.15.04.1) vivid-security; urgency=medium

  * Import new upstream bugfix release 2.5.10.
     - Fixes CVE-2016-1897 and CVE-2016-1898. (LP: #1533367)

 -- Andreas Cadhalpun <email address hidden> Tue, 19 Jan 2016 20:24:46 +0100

This bug was fixed in the package ffmpeg - 7:2.8.6-1ubuntu1

---------------
ffmpeg (7:2.8.6-1ubuntu1) xenial; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Compile with -O2 rather than -O3 on s390x, to work around
      https://bugs.launchpad.net/bugs/1526324.
  * Should fix LP: #1533367

ffmpeg (7:2.8.6-1) unstable; urgency=medium

  * Import new upstream bugfix release 2.8.6.
  * Update Standards-Version to 3.9.7.
     - Move documentatation from /u/s/d/ffmpeg-doc/ to /u/s/d/ffmpeg/.
  * Use https for the Vcs-Git link.

ffmpeg (7:2.8.5-1) unstable; urgency=medium

  * Import new upstream bugfix release 2.8.5.
     - Fixes CVE-2016-1897 and CVE-2016-1898.
  * Update doc-make-apidoc-output-independent-of-SRC_PATH.patch.
  * Add patch to make out-of-tree builds bit-identical to in-tree-builds.
  * Enable the now available opencv and frei0r on mips64el.
  * Fix altivec-extra compile time optimization.
  * Update copyright year for the debian files.
  * Change priority of libavcodec*-extra* to extra.

 -- Iain Lane <email address hidden> Thu, 25 Feb 2016 17:48:20 +0000