On Tuesday 19 January 2016 19:06:54 Andreas Cadhalpun wrote: > On 19.01.2016 17:27, Sebastian Ramacher wrote: > > On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote: > >> With a carefully crafted URL, the VLC avio plugin can be made to leak > >> content of local files to remote parties. > >> The root cause is the same as CVE-2016-1897. > >> > >> See also: > >> > >> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html > > > > There is nothing to be done in the vlc package. Reassigning to ffmpeg. It > > needs to be built with --disable-protocol=concat. > > How is CVE-2016-1897 not fully fixed? > > Rémi, please share details about any remaining vulnerability with > <ffmpeg-secur...@ffmpeg.org>.
This is a VLC vulnerability and I can´t share it with my own self. Besides the underlying issue has already been discussed with upstream libav. There is plenty of information available already to reproduce the problem. I don´t want to publish an exact proof-of-concept against "my" own software, especially not before VLC 2.2.2 gets released. -- Rémi Denis-Courmont http://www.remlab.net/ _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers