FFmpeg security hole

Does this affect the version in the custom firmware?

RISKS-LIST: Risks-Forum Digest Saturday 5 July 2014 Volume 28 : Issue 06

Raising Lazarus - The 20 Year Old Bug that Went to Mars

Buffer overflows in 20-year-old LZ decompression code (Don A. Bailey via Henry Baker)

Users

All users of FFmpeg, Libav, and projects that depend on them, should
consider themselves at risk to remote code execution. Period. Please
update your software from the FFmpeg and Libav websites, or refrain from
using these applications until your distribution has an adequate patch.

Technical details of the 'bug' which even exists on Mars!! can be found here:

Raising Lazarus - The 20 Year Old Bug that Went to Mars

http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html

https://groups.google.com/forum/#!topic/comp.risks/pniAM_boB_s

[End Quote]
 
I'm no expert but I decided to read the thread and, as far as I can see, the threat depends on a specific data stream being fed into ffmpeg which would cause code to be executed on our boxes.

The only source we have for data is the broadcast stream so the 'hacking' code would have to be broadcast first before it hit our boxes.

So, sure, it could happen, but it seems rather unlikely. A potential hacker would have to first hack their way into the multiplexing equipment for one of the broadcasters. Maybe, just maybe, they could approach this with a feed from a channel (possibly using the very same vulnerability) but how would they get into a channel feed in the first place?

Yes, we should fix our ffmpeg but I won't be losing sleep over it.
 
Me either. Plus the fact that there is no sensitive data on my Humax apart from my wifi password which is only of use if you are in the immediate vicinity.

If it was storing credit card or bank details, then fair enough, but its got nothing like that on it so there is nothing to hack for.
 
That may be true but if the code that runs sniffs your network it could easily install itself onto other devices on your network which may have more worrying data on them, not to mention sniffing packets on your network for everything you do.
 
Yes, very low but I guess linux is a common OS to target for this kind of thing. It doesn't need to be Humax specific just looking for a STB with a linux OS (which is most of them).

As I say, I'm not losing sleep though.
 
Yes, very low but I guess linux is a common OS to target for this kind of thing. It doesn't need to be Humax specific just looking for a STB with a linux OS (which is most of them).
The common target will be Linux on x86 rather than mipsel but we should try and update. The problem is that newer versions of ffmpeg don't seem to work properly on this platform.
 
Back
Top