Arbitrary file read via ffmpeg HLS parser at https://www.flickr.com/photos/upload

Summary: FFmpeg is a video and audio software that is used for generating previews and for converting videos. Your current installation allows HLS playlists that contain references to external files, which leads to local file disclosure. Steps to Reproduce: 1.Download the attached file. {F413554} 2.Go to https://www.flickr.com/photos/upload/ and upload the attached file. 3.Now go to https://www.flickr.com/cameraroll and you should be able to see contents of /etc/passwd. {F413555} For clear view open the video from **Photostream** section. Please let me know if you need any help :) ## Impact An attacker can read files of etc/passwd or other contents.Also what I've seen it is possible to escalate this vulnerability to SSRF(https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf).Since I don't have any server I couldn't test :(