CVE-2016-1897 (concat) and CVE-2016-1898 (subfile) were assigned to this bug, which (among other potentially security relevant issues) is fixed in FFmpeg 2.7.5 (the lines below starting with avformat/hls refer to this bug).
Attached is a debdiff. (git repo is at [1]) Testing performed (in a wily chroot): * build including test suite works * installation works * upgrade works * autopkgtests pass >From the upstream Changelog: version 2.7.5 - configure: bump copyright year to 2016 - avformat/hls: Even stricter URL checks - avformat/hls: More strict url checks - swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls - swscale/yuv2rgb: Increase YUV2RGB table headroom - swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out - avformat/hls: forbid all protocols except http(s) & file - avformat/aviobuf: Fix end check in put_str16() - avformat/asfenc: Check pts - avcodec/mpeg4video: Check time_incr - avcodec/wavpackenc: Check the number of channels - avcodec/wavpackenc: Headers are per channel - avcodec/aacdec_template: Check id_map - avcodec/dvdec: Fix "left shift of negative value -254" - avcodec/mjpegdec: Fix negative shift - avcodec/mss2: Check for repeat overflow - avformat: Add integer fps from 31 to 60 to get_std_framerate() - avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range - avfilter/vf_scale: set proper out frame color range - avcodec/motion_est: Fix mv_penalty table size - avcodec/h264_slice: Fix integer overflow in implicit weight computation - swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions - avcodec/put_bits: Always check buffer end before writing - mjpegdec: extend check for incompatible values of s->rgb and s->ls - swscale/utils: Fix intermediate format for cascaded alpha downscaling - x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse - avfilter/vf_zoompan: do not free frame we pushed to lavfi 1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=wily ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1897 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1898 ** Patch added: "debdiff for 2.7.5" https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+attachment/4550765/+files/ffmpeg_2.7.5.diff ** Changed in: ffmpeg (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1533367 Title: ffmpeg allows Server-Side Request Forgery attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs