From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 3DCDA4C671 for ; Thu, 23 Jan 2025 22:35:55 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A953768B797; Fri, 24 Jan 2025 00:35:51 +0200 (EET) Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E932C689DB3 for ; Fri, 24 Jan 2025 00:35:44 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id D699C40002 for ; Thu, 23 Jan 2025 22:35:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1737671744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NeyvHKbQOLStYQWlwhK2NJxyfewp+aic8PAY/PvZD20=; b=Tg/3xfMg/e2cVhi6nU2m+Q+WpOrgCK4dAUFlYpPvVhxrZSI19XcCw+HFxw8FxgSf06l+Wh 6rvBOeY3oj89vDmwn7PMAvV10fPYsBlaeEWCmpLIKeiryfKFml2ctH/lyBX++j5NOBw+zN cMiQxWIdWIrN1KSJzeeR0gSclArMkUtXxnnchbqkBjz28uw5o9Us1KANfjvM7FnKo/IKA1 p/ncZudMx72SQxdYyhcnHlTvDMhTMYQlKZOlWdJ4Qmhh4KKgruHNUa7cWJpM6965TnU8Xj ZtBgkzzq0S9F3IO97Y3J/1Wc8GScZJ6oVPA3pGwc6XpXYXxn67LFd78p4MVQsA== Date: Thu, 23 Jan 2025 23:35:42 +0100 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250123223542.GC4991@pb2> References: <20250122203609.1796499-1-michael@niedermayer.cc> <20250122203609.1796499-2-michael@niedermayer.cc> <20250123001134.GA4991@pb2> MIME-Version: 1.0 In-Reply-To: X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============2030270226663103881==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============2030270226663103881== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="PBMBM6BwoAX6OgR1" Content-Disposition: inline --PBMBM6BwoAX6OgR1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Kieran On Thu, Jan 23, 2025 at 09:54:36PM +0000, Kieran Kunhya via ffmpeg-devel wr= ote: > On Thu, 23 Jan 2025, 00:11 Michael Niedermayer, > wrote: >=20 > > Hi Kieran > > > > On Wed, Jan 22, 2025 at 10:47:52PM +0000, Kieran Kunhya via ffmpeg-devel > > wrote: > > > On Wed, 22 Jan 2025, 20:36 Michael Niedermayer, > > > wrote: > > > > > > > This blocks disallowed extensions from probing > > > > It also requires all available segments to have matching extensions= to > > the > > > > format > > > > mpegts is treated independent of the extension > > > > > > > > > > Potentially this is a stupid question but what stops an attacker from > > > faking the extension? > > > > How would he fake the extension ? > > > > The attacker generally wants to access a sensitive file, maybe one in > > /etc or maybe .ssh with something like the tty demuxer / ansi decoder > > > > lets pick /etc/passwd as a specific example > > >=20 > Is there no control character they can use to fake the extension > potentially? If your question is, if theres a sequence of characters that gets interpret= ed as an extension thats then not in the file that is being opened on one plat= form Thats an interresting question, do you know of such a case ? >=20 > As an aside, why is this CVE from 2023 being fixed now? Because it was reported now more precissely, IIRC alexander strasser reported it after seeing it on https://bugzilla.redhat.com/show_bug.cgi?id=3D2334338 I then tried to contact Harvey Phillips of Amazon Element55 and once i got in contact with him looked into fixing the issues ffmpeg was still vulnerable to. Yes, some CVEs out there are not reported to ffmpeg-security at the time they should have been. thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB It is dangerous to be right in matters on which the established authorities are wrong. -- Voltaire --PBMBM6BwoAX6OgR1 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZ5LEOgAKCRBhHseHBAsP q2N7AJ40HoqR+KTuWCGtg1KwcKtmymKsRwCdEfqYJmOhQqCdc1AmzjEmewiFJ1s= =hofP -----END PGP SIGNATURE----- --PBMBM6BwoAX6OgR1-- --===============2030270226663103881== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============2030270226663103881==--