Hi Kieran On Thu, Jan 23, 2025 at 09:54:36PM +0000, Kieran Kunhya via ffmpeg-devel wrote: > On Thu, 23 Jan 2025, 00:11 Michael Niedermayer, > wrote: > > > Hi Kieran > > > > On Wed, Jan 22, 2025 at 10:47:52PM +0000, Kieran Kunhya via ffmpeg-devel > > wrote: > > > On Wed, 22 Jan 2025, 20:36 Michael Niedermayer, > > > wrote: > > > > > > > This blocks disallowed extensions from probing > > > > It also requires all available segments to have matching extensions to > > the > > > > format > > > > mpegts is treated independent of the extension > > > > > > > > > > Potentially this is a stupid question but what stops an attacker from > > > faking the extension? > > > > How would he fake the extension ? > > > > The attacker generally wants to access a sensitive file, maybe one in > > /etc or maybe .ssh with something like the tty demuxer / ansi decoder > > > > lets pick /etc/passwd as a specific example > > > > Is there no control character they can use to fake the extension > potentially? If your question is, if theres a sequence of characters that gets interpreted as an extension thats then not in the file that is being opened on one platform Thats an interresting question, do you know of such a case ? > > As an aside, why is this CVE from 2023 being fixed now? Because it was reported now more precissely, IIRC alexander strasser reported it after seeing it on https://bugzilla.redhat.com/show_bug.cgi?id=2334338 I then tried to contact Harvey Phillips of Amazon Element55 and once i got in contact with him looked into fixing the issues ffmpeg was still vulnerable to. Yes, some CVEs out there are not reported to ffmpeg-security at the time they should have been. thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB It is dangerous to be right in matters on which the established authorities are wrong. -- Voltaire