On Tue, Jan 28, 2025 at 06:11:33AM +0100, Vittorio Giovara wrote: > On Sat, Jan 25, 2025 at 9:38 PM Michael Niedermayer > wrote: > > > On Thu, Jan 23, 2025 at 10:27:47PM +0100, Michael Niedermayer wrote: > > > On Wed, Jan 22, 2025 at 09:36:09PM +0100, Michael Niedermayer wrote: > > > > This blocks disallowed extensions from probing > > > > It also requires all available segments to have matching extensions to > > the format > > > > mpegts is treated independent of the extension > > > > > > > > It is recommended to set the whitelists correctly > > > > instead of depending on extensions, but this should help a bit, > > > > and this is easier to backport > > > > > > > > Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer > > > > Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification > > > > > > > > The other parts of CVE-2023-6602 have been fixed by prior commits > > > > > > > > Found-by: Harvey Phillips of Amazon Element55 (element55) > > > > Signed-off-by: Michael Niedermayer > > > > --- > > > > doc/demuxers.texi | 7 +++++++ > > > > libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ > > > > 2 files changed, 57 insertions(+) > > > > > > I intend to apply this patchset soon so it receives some testing before > > 7.1.1 > > > > will apply > > > > Should this be backported to other stable releases since it's a CVE? yes, but theres a related open regression with mpv https://trac.ffmpeg.org/ticket/11435 thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I am the wisest man alive, for I know one thing, and that is that I know nothing. -- Socrates