|ffmpeg vulnerability allows reading local files and sending them over network using a specially crafted video file. This affects not only file conversion (including thumbnail generation), but also any other operations that involve ffmpeg processing your file — for example, ffprobe is affected.|
This is not remote code execution, the vulnerability is limited to reading local files and sending them over network, but that is already bad enough.
For example, a specially crafted «video» file uploaded to your server by an attacker could read your website config/private keys/etc and send that to the attacker once you try to generate a thumbnail for it or just probe it with ffmpeg.
On a PC, you don't even need to open a file to get affected, just downloading it would be enough in some cases — video files are processed with ffmpeg for filemanager thumbnails (i.e. KDE Dolphin), for search indexers, etc.
That vulnerability is public, has code samples to reproduce and build a malicious file, and is not fixed atm.
The recommended quick fix is to rebuild ffmpeg without network support (--disable-network configure flag).
Original post: http://habrahabr.ru/company/mailru/blog/274855/
The original text is in Russian, use https://translate.yandex.com or https://translate.google.com/ to read it.