[vlc-devel] [PACKAGERS] libavformat leak security advisory
Rémi Denis-Courmont
remi at remlab.net
Sat Jan 16 15:13:10 CET 2016
tl;dr:
1) The libavformat vulnerability affects VLC.
2) The FFmpeg 2.8.5 release does NOT address the vulnerability.
Hello,
As many of you already by now, there is a lot of fuss about an information
leak vulnerability in libavformat at the moment. The issue affects both libav
and FFmpeg sides of the forked project.
At the time of writing, fixing efforts have concentrated on the libavformat
HLS implementation. Because the root cause of the problem is not in HLS, those
efforts have failed.
On the one hand, the libav project has one unmerged patch to address the
problem. The patch does not address the VLC vulnerability. On the other hand,
the FFmpeg project has made a release claiming to fix the problem (2.8.5). The
release does not fix the problem.
To fix the problem in VLC:
- If you use libavformat from VLC 2.2 contribs:
- upgrade to version 2.2.1-421-gfb70035 (or later)
- rebuild contribs,
- then rebuild VLC.
- If you use libavformat from VLC git contribs:
- upgrade to version 2.2.0-git-6120-g2fc4c0c (or later)
- rebuild contribs,
- then rebuild VLC.
- If you use an external dynamically linked libavformat:
- disable the concat protocol while building libavformat,
e.g. ./configure --disable-protocol=concat
- reinstall libavformat,
- restart VLC if running.
- If you use an external statically linked libavformat:
- disable the concat protocol while building libavformat,
e.g. ./configure --disable-protocol=concat
- reinstall libavformat,
- rebuild VLC.
- reinstall VLC.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list