From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] CVE #s security fixes and backports
Date: Sun, 23 Feb 2025 22:58:22 +0100
Message-ID: <20250223215822.GT4991@pb2> (raw)
In-Reply-To: <7c37e800-9fec-4541-af8d-1b342a50e07c@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2825 bytes --]
Hi
On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote:
> On 2/23/2025 5:19 PM, Michael Niedermayer wrote:
> > Hi
> >
> > On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:
> > > On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
> > > > Hi
> > > >
> > > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
> > > > > Hi all
> > > > >
> > > > > Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
> > > > > and from our security page.
> > > > >
> > > > > These issues where posted publically on trac, and fixed by FFmpeg developers.
> > > > > Then someone seems to have registered CVE #s but not mailed ffmpeg-security
> > > > >
> > > > > I suggest
> > > > > 1. if you fix a security issue or apply a security fix, make sure it is
> > > > > backported to all supported releases
> > > > > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
> > > > > 3. If you see issues on trac that seem important, please make sure they
> > > > > are fixed and backported, having someone like carl who knew and maintained
> > > > > all issues would be quite usefull
> > > >
> > > > 4. Someone should cross check
> > > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
> > > > and backported fixes and backport missing fixes and fix unfixed issues.
> > >
> > > Why are there memory leaks with a CVE?
> >
> > a memory leak can be a denial of service
> >
> >
> > >
> > > Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git
> > > master.
> >
> > please add a entry to our security page stating that
>
> How? It doesn't apply to any release. It's CVE who should fix their
> description.
you can add "never affected a release" (theres already a similar one)
>
> Also, i consider it a bit premature to make a CVE for an issue that's only
> present in git master and was fixed immediately after it was reported to us.
> It wasn't realistically deployed anywhere and only pads the list.
The world is unlikely to delete a CVE# completely, but you can try.
Some pages will refer to the issue and if its not on our page people
will be confused
If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release
thats clear and thats the clarity the page is supposed to provide.
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-02-23 21:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-23 8:56 Michael Niedermayer
2025-02-23 9:12 ` Michael Niedermayer
2025-02-23 15:41 ` James Almer
2025-02-23 20:19 ` Michael Niedermayer
2025-02-23 21:45 ` James Almer
2025-02-23 21:58 ` Michael Niedermayer [this message]
2025-02-23 22:00 ` James Almer
2025-02-23 22:08 ` James Almer
2025-02-23 16:49 ` Rémi Denis-Courmont
2025-02-23 21:37 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250223215822.GT4991@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git