Details



The vulnerability is public (as public as it could be, it was on the index page of



Short English summary at



The recommended work-around is to rebuild ffmpeg without network support (--disable-network configure flag) until the vulnerability is fixed upstream. ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file — for example, KDE Dolphin thumbnail generation is enough. Desktop search indexers (i.e. baloo) could be affected. ffprobe is affected, basically all operations with file that involve ffmpeg reading it are affected.The vulnerability is public (as public as it could be, it was on the index page of http://www.alexa.com/siteinfo/habrahabr.ru (and is now on page4 of the same site), has code samples and instructions on how to build a malicious file. The original blog post is in Russian: http://habrahabr.ru/company/mailru/blog/274855/ , but you can use https://translate.yandex.com or https://translate.google.com to read it.Short English summary at https://news.ycombinator.com/item?id=10893301 The recommended work-around is to rebuild ffmpeg without network support (--disable-network configure flag) until the vulnerability is fixed upstream.