Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions
Date: Thu, 23 Jan 2025 23:35:42 +0100
Message-ID: <20250123223542.GC4991@pb2> (raw)
In-Reply-To: <CABGuwEnk091j38WTwCVVP9Wcd3pQMCQYEG7t5fHL8HoqQ2czZQ@mail.gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 1991 bytes --]

Hi Kieran

On Thu, Jan 23, 2025 at 09:54:36PM +0000, Kieran Kunhya via ffmpeg-devel wrote:
> On Thu, 23 Jan 2025, 00:11 Michael Niedermayer, <michael@niedermayer.cc>
> wrote:
> 
> > Hi Kieran
> >
> > On Wed, Jan 22, 2025 at 10:47:52PM +0000, Kieran Kunhya via ffmpeg-devel
> > wrote:
> > > On Wed, 22 Jan 2025, 20:36 Michael Niedermayer, <michael@niedermayer.cc>
> > > wrote:
> > >
> > > > This blocks disallowed extensions from probing
> > > > It also requires all available segments to have matching extensions to
> > the
> > > > format
> > > > mpegts is treated independent of the extension
> > > >
> > >
> > > Potentially this is a stupid question but what stops an attacker from
> > > faking the extension?
> >
> > How would he fake the extension ?
> >
> > The attacker generally wants to access a sensitive file, maybe one in
> > /etc or maybe .ssh with something like the tty demuxer / ansi decoder
> >
> > lets pick /etc/passwd as a specific example
> >
> 
> Is there no control character they can use to fake the extension
> potentially?

If your question is, if theres a sequence of characters that gets interpreted
as an extension thats then not in the file that is being opened on one platform

Thats an interresting question, do you know of such a case ?


> 
> As an aside, why is this CVE from 2023 being fixed now?

Because it was reported now

more precissely, IIRC alexander strasser reported it after seeing it on
https://bugzilla.redhat.com/show_bug.cgi?id=2334338

I then tried to contact Harvey Phillips of Amazon Element55
and once i got in contact with him looked into fixing the
issues ffmpeg was still vulnerable to.

Yes, some CVEs out there are not reported to ffmpeg-security
at the time they should have been.

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is dangerous to be right in matters on which the established authorities
are wrong. -- Voltaire

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

  reply	other threads:[~2025-01-23 22:35 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-22 20:36 [FFmpeg-devel] [PATCH 1/2] Revert "avformat/mpegts: Add standard extension so hls can check in extension_picky mode" Michael Niedermayer
2025-01-22 20:36 ` [FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions Michael Niedermayer
2025-01-22 22:47   ` Kieran Kunhya via ffmpeg-devel
2025-01-23  0:11     ` Michael Niedermayer
2025-01-23 21:54       ` Kieran Kunhya via ffmpeg-devel
2025-01-23 22:35         ` Michael Niedermayer [this message]
2025-01-23 21:27   ` Michael Niedermayer
2025-01-25 20:38     ` Michael Niedermayer
2025-01-28  5:11       ` Vittorio Giovara
2025-01-28 12:14         ` Michael Niedermayer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250123223542.GC4991@pb2 \
    --to=michael@niedermayer.cc \
    --cc=ffmpeg-devel@ffmpeg.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git