>The attack does not even require the user to open that file - for example, KDE Dolphin thumbnail generation is enough
mfw looonix fags btfo once more with their open sores trash
ROFLCOPTER
CVE?
>>52430077
It's been patched. Problem solved.
>anyone with a brain using ffmpeg
>Open source is more secure!
>>52430111
not for those who aren't updated.
for example, any program using a bundled ffmpeg
>>52430125
It's too bad that your package maintainers are too slow.
I just upgraded klite codec pack. What do I do now?
>>52430111
>The recommended work-around is to rebuild ffmpeg without network support (--disable-network configure flag) until the vulnerability is fixed upstream.
it's not patched, just the usual open sores shit tier quickfix that will turn permanent.
>>52430077
>>52430123
if this was on windows, you would never even have known about the exploit
>>52430077
Ever heard of system update you fucking dumb frogposter?
Also
>all these illiterate winniggers ITT
>>52430239
Check'em
>>52430077
People still use ffmpeg?
>>52430142
>klite codec pack
>>52430077
>KDE Dolphin thumbnail generation is enough
The only linux file picker with proper thumbnails and this is how they do it? kek!
>>52430077
Daily reminder to sage and hide any frog posters. Replying to their threads is a clear example of being a cuck
>>52432821
Linux is basically just a cheap immitation of a real operating system.
>>52432868
bump
>>52430077
Isn't ffmpeg a cross platform program.
I have seen ffmpeg licenses on foobar.
Why is Linux BTFO then?
>>52432873
Retarded winnigger who don't even care to Google. As I said>>52432868 to stop looking like an idiot.
>>52432873
Except it's a functional superset of your "real operating systems"
>mfw windows can't even use any other filesystem than fat and NTFS and whatever that shitty filesystem windows made
>Linux runs on more devices (including embedded devices) than your shitty windows and OSX combined
>>52432902 was meant for
>>52432885
>>52432903
>mfw windows can't even use any other filesystem than fat and NTFS and whatever that shitty filesystem windows made
Linux = quantity over quality.
>Linux runs on more devices (including embedded devices) than your shitty windows and OSX combined
Linux = quantity over quality.
>>52430077
http://habrahabr.ru/company/mailru/blog/274855/
Don't reply anon. Even op came to know about from that patch enabled post earlier. Winniggers are hilarious
>>52430077
This isn't Linux specific. Pretty much any media application worth anything uses FFmpeg, including MPC-HC on Windows (with LAV.) Windows also has FFmpeg-based thumbnailers (like Icaros,) though I'm not sure if any are built with network support.
>>52432885
Yep. You're right. OP is retarded.
>>52432921
>quantity over quality
My dick is small so let me act like girls like smaller
>>52432961
>My dick is small so let me act like girls like smaller
Are you giving us all a tl;de of the GPL license?
>>52432971
No I was using the same retarded logic you were using
>>52432921
>Quantity over quality
Guess what runs on world most supercomputers and satellites?
>>52430077
neckbeards freetards BTFO
kek
>>52430077
sauce?
>>52430077
http://news.softpedia.com/news/zero-day-ffmpeg-vulnerability-lets-anyone-steal-files-from-remote-machines-498880.shtml
>Already patched in Arch Linux
>We've been informed earlier today, January 13, 2016, that Arch Linux developers have already patched the FFmpeg 2.8.4 packages in the operating system by rebuilding them without the AppleHTTP and HLS demuxers. Therefore, all Arch Linux users are urged to update their FFmpeg packages to version 2.8.4-3. It is also possible to fix the issue by rebuilding the FFmpeg packages without network support, using the --disable-network configure flag, but that seems a bit too much.
Why aren't you using arch?
>>52432821
>The only linux file picker
>>52430077
>>52433016 (Samefag)
Dumb fucking frogposter leave now.
>>52433170
>>The only linux file picker
Nice selective quoting there, did you have no real argument or did your poor frontal lobe development limit you from reading past the 5th word?
>>52433170
spotted the neckbeard freetard
You're getting there, anon, keep trying
Is vlc safe?
>>52433195
I wanna know about mpv too.
>>52433182
>He thinks only dolphin users have proper thumbnails
Kill self, paypay trader
>>52433193
Hi there winnigger prajeet, that's some absolute proof, BTFO right? :DDD
Now go take your poo to the loo before it stinks
>>52432868
>>52432902
>>52433170
>>52433222
>>52433334
All me though
>>52433094
>patched by rebuilding them without the vulnerable components
That's not how you patch vulnerabilities!
This is exactly why I don't use Arch!
>>52433334
Nice try Op. still doesn't prove you are not a retard
>>52432921
>NTFS
>Quality
ffmpeg is used on basically any platform. Most windows media players and music use ffmpeg too, but unlike on Linux you wont have an easy central way to update it, any application still might run with an outdated ffmpeg version (see >>52430125)
>>52433534
Just block it from using the Internet.
Problem solved.
I had to work on ffmpeg in my first job ever. I was surprised how bad the code is. Several-hundred-line methods, many GOTO statements. At one point I even stumbled upon a comment that said something like "the code below is really shitty".
>>52433619
they know it's shit and so does everyone else.
that's why normal people use libav
>>52433626
>that's why normal people use libav
libav still lacks the infamous "thousand fixes" that google upstreamed to ffmpeg and should be considered dangerous on a machine with an internet connection since libav began to exist.
>>52433626
No one uses libav any more. It's also fucking garbage and the only reason it still exists is to satisfy the egos of the few developers it has left.
>using ffmpeg
>>52433619
>many GOTO statements.
I just did a quick search for "goto" and it looks like most of them are forward gotos used for error handling. This is fine in C (and in any language that has goto, but lacks exceptions.) Your other criticisms are probably true though.
How does the exploit work?
>>52435369
>This is fine in C
Unless you're writing secure authentication code and the default case is a success, of course.
Even after it's fixed, windows users'll continue touse old versions for years. Because almost all major players use ffmpeg.
>>52435783
Only retard programmers think that bug was because of goto. If it was written in a different language and that line was a throw or return statement, the same bug could have happened. It was because of indentation. If you really want to protect against it, you could put curly braces around all single line if bodies, or soon, you'll be able to use GCC 6.0's misleading indentation warnings.
>freetard security
https://en.wikipedia.org/wiki/Heartbleed
https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
http://thehackernews.com/2015/12/hack-linux-grub-password.html
>>52430077
You dumb niggger, this effects Windows and homOSeX too.
>>52435844
see
>>52435846
also shellshock has been patched and even bigger vulnerabilities happened to windows
>>52435844
also grub password is not serious. Almost anyone with physical access to your computer can do anything they want
>>52435846
windows and osx don't come installed with ffmpeg.. and you can't even install it either, nor will it have access to the web
on loonshit ffmpeg literally comes installed and has network access.
>>52435844
>grub password
>literally fake security in the first place
>windows doesn't have a password on the boot loader at all
>hurr windows has no security at all
>>52435821
I would just say that "goto fail;" should lead to a fail state 100% of the time. Anything else is clearly fucked.
>>52435867
>>52435876
>>52435883
DAMAGE CONTROL
A
M
A
G
E
C
O
N
T
R
O
L
>>52435881
http://it.slashdot.org/story/16/01/14/2214244/zero-day-vulnerability-discovered-in-ffmpeg-lets-attackers-steal-files-remotely
> A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, has been discovered recently by Russian programmer Maxim Andreev in the current stable builds of the software. It appears to let anyone with the necessary skills hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file. Arch Linux devs already rebuilt their FFmpeg packages without the AppleHTTP and HLS demuxers.
Umm...what?
>>52435881
nice meme anon
i thought winfags here actually knew about windows more than i did
also Linux doesn't have it by default unless you install a media player. almost all windows media players uses ffmpeg
>don't enable remote access
>???
>>52435905
>i have run out of arguments
>i will just say they are on suicide watch
>i win fags
>>52435914
winniggers are hilarious
>>52435914
>also Linux doesn't have it by default
yes it does. how do you think loonshit generates thumbnails for its videos?
>>52435905
>Being this buttdevastated over your shilling thread failing
Microshills sure are cute when they get angry.
>>52435905
>Damage Control
Translation: Winbabby ran out of arguments
>>52435844
>proprietary shitware security
https://code.google.com/p/google-security-research/issues/detail?id=693
http://breakingmalware.com/vulnerabilities/one-bit-rule-bypassing-windows-10-protections-using-single-bit/
http://www.zdnet.com/article/serious-security-flaw-in-os-x-yosemite-rootpipe/
>>52435881
Uhh no it doesn't. The distribution of ffmpeg is pretty tightly regulated because it ships with a lot of patent encumbered codecs.
>>52435976
>>52435974
>>52435941
Her's your argument:
http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
Now please consider suicide.
>>52435967
Linux is a kernel and doesn't generate thumbnails.
Also
>implying all file managers that you install generate thumbnails
>>52435967
Where do I claim that?
>>52435967
delete the post if you don't want to be seen retarded
as i said there is choice to actually install media player in Linux. Ubuntu might bundle with a media player but not arch
>>52435967
A lot of distros do use FFMpeg to generate thumbnails for videos, but they don't have the vulnerable components in their builds.
In short:
>Vulnerabilities found
>But only in components that most uses of the software don't even bother building
>So it's doesn't even affect the vast majority of people using it
>>52435881
>and you can't even install it either
???
It comes bundled with Chrome, Firefox, MPC-HC and VLC. It's so easy to install FFmpeg on Windows that you probably have multiple network-enabled copies of it without knowing.
>nor will it have access to the web
I'm fairly sure LAV's FFmpeg is built with network access. Chrome's is too.
>>52436000
>argument is: we don't know of problems but there might be some
okay kid
cant wait for the massive botnet caused by normies using kodi to wath yiffy movies
>>52436062
>reading comprehension
I don't understand this. Why is a network connection made any time it reads a local file? Is it listening for something? Is it going somewhere?
>>52436000
the blog says
>there might be vulnerabilities in Linux
ok now tell him to show the vulnerabilities instead of complaining
>linus doesn't care security but prefer performance
Linus admits it and says if anyone cares about security they should be using obscure oses like bsd
>>52436000
>Linus doesn’t take security seriously
That's just false. Linus does not get involved in debates, he tries to make his kernel as generic as possible so anyone can make use of it.
Linux actually has a lot of security features in the tree but they're not always enabled by default. Linus tries to leave the security features up to the downstream developers because a lot of them have the potential to break userspace applications. Many of the bigger distros enable those security features though. Fedora derivatives, SUSE derivatives, and ubuntu derivatives enable them. I don't know whether debian itself enables them but they have a list of them
https://wiki.debian.org/Hardening
>>52436071
>self projection using green arrow meme
>>52436000
>Article actually tries to use non-kernel vulnerabilities to talk about how vulnerable the kernel could possibly be
>Also calls an Android rooting application a "Linux exploit"
>Whole article is basically one big hunk of hyperbole
Seeing how you fell for this piece I'd say it's you who should consider suicide seeing how you don't seem to be able to recognize hyperbole when it hops up and down right in front of you.
>>52436071
>Hurr durr... All this hyperbole MUST be true because there's so much of it
Do microshills ever get tired of being this retarded?
>>52436175
http://mjg59.dreamwidth.org/38158.html
>>52435881
>windows and osx don't come installed with ffmpeg.. and you can't even install it either, nor will it have access to the web
Goodness gracious so this is how much winbabbies know about their OS
>>52436233
/thread/
I've never seen so many assblasted and defensive freetards in a thread.
You time on /g/ is running up, faggots.
>>52436302
Go and watch a video on your Windows Semen witout ffmpeg. Oh, stop, you can't.
>>52436302
however i thought winniggers to actually know what they. seeing how ignorant winniggers on this thread are i am considering removing my windows partition
Threadly reminder
>rendering your fonts in the kernel
>20XX
https://www.cvedetails.com/cve/CVE-2010-1255/
https://www.cvedetails.com/cve/CVE-2011-3402/
https://www.cvedetails.com/cve/CVE-2012-2897/
https://www.cvedetails.com/cve/CVE-2012-4786/
https://www.cvedetails.com/cve/CVE-2013-3129/
https://www.cvedetails.com/cve/CVE-2013-3894/
https://www.cvedetails.com/cve/CVE-2014-4148/
https://www.cvedetails.com/cve/CVE-2015-0059/
in case winniggers again say muh linux btfo
>>52432885
this.
Windows users will have to deal with every program that uses it separately.
Linux users will just have to fetch their updates.
>>52436302
>You time on /g/ is running up, faggots
Winiggers like you aren't smart enough to be a threat.Please stick around though, I haven't laughed like this in ages.
>>52436302
Are we reading the same thread? I've never seen so many retarded winidiots. The whole premise of the thread is that the FFmpeg vuln is a Linux vuln, but I doubt there's a Windows user here who doesn't have FFmpeg on their machine in some form or another. If you're going to side with OP, please explain to me how this thread isn't total horseshit.
>>52436366
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0057
>when your OS handles scrollbars in kernel
>>52436380
I like how 'no one uses free software' and 'look at how much is fucked because this free software went bad' are in the same pool of arguments for wintards.
>>52436366
This. This is why Windows security will always be a joke. It's not just font rendering related vulnerabilities either, there are so many win32k.sys vulnerabilities related to seemingly innocuous aspects of the windowing system that just happen to be implemented in the kernel. If Microsoft cared, they're rewrite the whole thing in user mode like it wasn't the fucking 80's, but they don't care. Writing secure software isn't part of their strategy. It's all fucking touch-based HTML apps. All the new crap in Windows 10 should not exist because Microsoft hasn't even gotten the basics right.
>>52436595
Even macfags aren't that stupid.
>>52430111
/Thread
>meanwhile it would've taken Micropooinloo a few months to issue an update
Don't windows users also use ffmpeg for thumbnail generation as well, for anything not built in?
Like h264 h10p, h264 on win7, etc.
>>52436738
Yes. Yes they do.
>>52436738
Basically any application capable of playing media that windows doesn't already support uses ffmpeg in some way.
How do we know this is the first person to come across this?
This could have been used for a while now for targeting certain people.
>>52436790
Well that's one of the concerns with vulnerabilities. Generally we can assume if no one comes forward with the vulnerability and tries to sell information about it then at least it only affected a handful of people at most. So most of us are probably generally safe. If someone comes forward and sells it then the problem can be significantly worse.
>ffmpeg vulnerable
>opens catalog
>2 threads for Linux btfo
>even though it affects all oses
>no windows on suicide watch of mac on suicide watch thread
why are proprietards so hilarious
Oh no somebody's gonna steal mah maymays
>>52436833
because ffmpeg comes pre-installed in most loonshit distros
also, you don't even have to open a file or type in a password to get infected on loonshit
>>52436871
read the whole thread faggot
>>52436871
no it doesn't
ffmpeg has stricter licenses and it's not installed on any os by default
>>52430125
Well, fuck. There a new version of webm for retards?
>>52436871
Just Windows users, people
>>52436911
It can be installed though but due to the licensing problems its usually in the non-free or restricted repos and requires specific configuration to fetch it.
>>52436871 see >>52436380
now delete your post and stop embarrassing yourself
>>52436707
If you honestly think what you've said is true, then please refrain from posting anything you think on this board in the future.
>apt-get remove ffmpeg
Problem solved.
What is that? Every Windows program that uses ffmpeg provides its own separate binary for it? Well, good luck cleaning up that mess Wintards.
Someone should screen shot save this thread. The amount of ignorance and buttblast winniggers have on this thread will be enough to give laughs for an hea year
>>52437012
read the whole thread faggot
gee these winniggers
>>52437050
Firefox has this functionality built in.
Shift+F2
screenshot <filename>(extension optional) --fullpage
>>52437036
>Search 'ffmpeg.exe' in Everything
>Will locate every ffmpeg.exe on your computer
>Simply replace it with the new binary.
Takes less than a minute, fucking idiot.
>>52437128
i hope you are not serious
>>52437117
Holy shit, thanks for this. Had no idea it existed, very useful.
>>52437128
get a load of this idiot
can someone that knows how to use this exploit do it and show you doing it?
I always see people talking about exploits and backdoors but no one does shit.
>>52437144
>>52437152
I've already done it and can confirm anything that uses ffmpeg has the new version, and is working fine.
>>52437128
winniggers , people
>>52437163
Go look up the original blogpost, it has instructions.
>>52437169
okay then. make sure you fix for these too >>52436380
>>52437128
The problem is that it's not an .exe file found in the directory of every program that uses it. It's instead literally baked into the binary.
So to fix this on wangblows you need to:
>Uninstall all applications using it
>Wait for all these to update themselves with the fixes or leaving out the vulnerable parts
>Install said versions when they arrive
>Which could be weeks or months away and in the case of abandonware never
>>52437212
>It's instead literally baked into the binary.
Well, I can't think of any program I have that has ffmpeg merged into it, so it's not a problem for me
>>52437050
>>52437128
also there are many other extended versions opencv,ffmpeg-webm
are you telling me you are going to replace all those binaries
>>52437245
Do you use foobar2000, mpv, mpc-hc, vlc, google chrome, lav filters, ffdshow, or any kind of program to generate thumbnails for videos?
>>52437245
The fact that it's not clearly visible doesn't mean that it's not there.
>>52437300
But that's the Windows security strategy
>>52437286
I use firefox.
The rest(mpv/foobar/thumb generators) don't have internet access, so it doesn't even matter.
I suggest Windows users get TinyWall.
>>52433437
Arch leaves security to upstream m8.
>>52437321
Only firefox linux version is vulnerable,so I think you are safe.Not sure though.Glad to see one intelligent windows user.
ARCH
R
C
H
>>52437321
>The rest(mpv/foobar/thumb generators) don't have internet access, so it doesn't even matter.
>>52437117
>>52437148
This.
>>52437376
Are you using a wrapper for pacman... Why?
>>52437321
>tinywall over wfc
>>52436385
This is an incredibly good point that never gets brought up enough.
>>52437376
>removed the affected component instead of fixing the vuln
Top-tier package mantainers.
>>52437178
When I try to look this up I just get the same body of text with no actual source or explanation.
>>52437425
>Not knowing what TinyWall is
I choose which processes have internet access. For the most part, I only allow firefox, steam and a few others. Everything else gets blocked automatically.
>>52437344
>I think you are safe.Not sure though.Glad to see one intelligent windows user.
Is this supposed to be funny? Got me, either way.
>>52437494
Why should they.They are not the devs of ffmpeg.Unless ffmpeg devs fix it,even your winkek is affected.
>>52437496
http://habrahabr.ru/company/mailru/blog/274855
Not that difficult
>>52437539
The words on this page look all garbled.
>>52433437
>Arch devs are incharge of ffmpeg
>they should just ignore the issue until devs fix it
>>52437531
Probably another ordinary gamer embarrased by the level of ignorance shown by wincucks on this board.
>Windows has a major bug, like getting root from fonts, enabling pdfs, and docs to be malicious.
Eh, another day in windows land.
>Linux gets a major bug like this.
Linux is shit!
Winbabbies really like to jump on everything.
Also, see the trend micro bug for a big windows application with an even worse hole.
https://code.google.com/p/google-security-research/issues/detail?id=693
>>52437538
Because it breaks HTS support. Users not knowing what the update does (aka just a daily pacman -Syu run) relying on HLS will be screwed and need to downgrade again.
>>52436871
If you want thumbnails for a lot of extra media files, windows needs it too.
At least with loonshit, I can run a single command and be safe again.
>>52437678
Maybe they should read documentation if HLS support is that important to them.
>>52437722
No one even bothered to write it on the Arch homepage. It's just stated in this bug report.
Also, the git version has already been commited to git:
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=7145e80b4f78cff5ed5fee04d4c4d53daaa0e077;hp=92465a2347d959cbd9864b017a39b2a4ab9313ff
>tfw when wintards will have to manually delete and reinstall a half dozen programs to fix this
>tfw I'll do it in one command
It feels good not being a wincuck lmao
>>52437539
After reading this, I have to ask: how exactly are you going to get the malicious file to ffmpeg without having write access to the host already?
>>52437798
Upload it to 4chan :^)
>>52430077
Give the child a windows pc
>>52436923
>webm for retards
confirmed botnet
>>52437765
It's on the commit log.
https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/ffmpeg&id=ef0b4890e18a52e976274d02a09738f73a07f4d2
>>52437821
That's not the real fix, that's the half-assed fix by removing the components (breking HLS support). The commit I posted fixes the hls component by restricting the file protocols.
>>52437848
>That's not the real fix
Nobody claimed otherwise. Arch devs aren't in charge of upstream. The point was that users can easily look up what the update does if they need HLS support for whatever.
>open source
>hey people there's a vulnerability but it has been fixed so make sure to update
>closed source
>hey people there's a vulnerability but don't tell anyone our kike shareholders will cry about second shoah again
>>52437895
>The point was that users can easily look up
Likely after applying the update. Why not just include the git commit with an actual fix?
But speaking of the commit:
Is this implementation safe? It still allows the file:// protocol, or does this exploit just work with the usage of concat?
>>52438017
>Why not just include the git commit with an actual fix?
Because Arch follows upstream. Whenever ffmpeg release a stable, fixed build, they'll probably switch.
ffmpeg guys said that disabling HLS would be a workaround.
>>52437507
If you dont mind not being able to to open audio or video streams, or fetch metadata or album covers or even just receive simple application updates for those things and are sure that you actually have all those restrictions in place, then you are fine.
But arent the thumbnailer part of the file explorer process? Are you really sure that it doesnt have internet access?
>>52433619
>goto considered harmful
there's nothing wrong with goto
it's just that it is often misused
>>52438063
>Because Arch follows upstream
Because adding four lines to the code which have been commited to the official git breaks their release philosophy? If that's really the complete fix than I think the decision made by the repo maintainers is kinda stupid.
>>52437458
It's pamac, a GUI package installer. Why not?
>>52438261
No reason not to. More that there's no reason to.
>>52438210
As far as I can tell, the complete fix occured a few hours ago. Arch rebuilt ffmpeg without hls a couple of days ago when the vulnerability was discovered. It looks like there's an ffmpeg 2.8.5 now which presumably fixes the problem, so I would expect an update soon.
https://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/tags/n2.8.5
test
