CVE-2023-6602: 
Ffmpeg vulnerability analysis and mitigation

A vulnerability was discovered in FFmpeg's TTY Demuxer that allows possible data exfiltration through improper parsing of non-TTY-compliant input files in HLS playlists (Red Hat Bugzilla).

The vulnerability exists in FFmpeg's TTY demuxer where it processes input files that do not meet TTY requirements. The TTY demuxer normally only triggers for specific file extensions (ans, art, asc, diz, ice, nfo, txt, or vt), but this vulnerability allows it to be triggered even when the input file does not meet these requirements. The demuxer treats all input as ASCII and renders it in the video output (Red Hat Bugzilla).

The primary impact of this vulnerability is the potential for data exfiltration. Since the TTY demuxer processes all input as ASCII and displays it in video output, attackers could potentially access and expose sensitive information through maliciously crafted input files (Red Hat Bugzilla).

When encountering a failed common multimedia extension check, the system should discard the identified demuxer and restart the identification process with the next input in the playlist. Additionally, the TTY demuxer should only be triggered if the input file extension matches known and approved values (Red Hat Bugzilla).