OpenPHT v1.8.0 / FFmpeg v2.8.11 / AVI GAB2 Struct Vulnerability

openpht

#1

FFmpeg v2.8.11 used in OpenPHT v1.8.0. How can we upgrade this? There is a GAB2 AVI vulnerability in this ffmpeg version. The attached file can be used to generate attack files. "python gen_avi.py /etc/passwd HackAVI.avi.mp4". The resulting files need to be uploaded for transcoding & contents of the target file can be seen on the screen in the video.


#2

Bump Bump?


#3

Bump Bump?


#4

My understanding of this vulnerability is that it only affect encoding and not decoding, OpenPHT is using ffmpeg for decoding and should not be affected.

How have you been able to replicate this vulnerability?
Do you see the file content from your PMS that is doing transcoding or a file from your client where OpenPHT is running?


#5

Yes thats true. Currently I dont have the OpenPHT running on Raspberry Pi. I intended to get it running but stopped given this vulnerability just to get a confirmation. Do you mean to imply that there is absolutely no case where OpenPHT will encode? I know Plex is a server side system. Bye the way do you have an idea about PMS?
I am going to install & test now.
Thanks for your words.