From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 506964D708
	for <ffmpegdev@gitmailbox.com>; Sun, 23 Feb 2025 21:58:37 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 327F768CA2F;
	Sun, 23 Feb 2025 23:58:32 +0200 (EET)
Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net
 [217.70.183.201])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EC61E68C4DB
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Feb 2025 23:58:24 +0200 (EET)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 4AF3A44467
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Feb 2025 21:58:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1740347904;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=4r03kCQzQh6h9jPSklqSDlwEI8b98OWbTQVY/6C5/gU=;
 b=a1yU+fT7UgnlUESvcYds5Wf2D0xt56TEMF+AbXdy9hfPbXaha+Q321ztQ/JcA4H4q04cJq
 hmoCB7a6uUMZIX1O2z1bHUbFRE3mtlC0YwmWnWWXGZBtRkeDyms50FXVr2LsK9TCSfYzim
 KjomuanhF861OlocWhRb+bhx0IwPYGzhj7c2fQVxYst0hjGdjFUBOP7knWySy8wAw0pvpq
 Avz45rzGnNA+aYpG9wBeeXeLeJ/TLwQ3XsQyfc6P5swvDuRHmXLV8rlZuohZvVEe5T0+/1
 M4KLnysrhad5jAfYlE6qAnjFyVNACD0yZ9370tqNJLT+fkKGsIEXDj23Ljzy4g==
Date: Sun, 23 Feb 2025 22:58:22 +0100
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20250223215822.GT4991@pb2>
References: <20250223085635.GO4991@pb2> <20250223091236.GP4991@pb2>
 <22ec2abf-bff5-4a89-b1cc-3bf73f726c22@gmail.com>
 <20250223201933.GQ4991@pb2>
 <7c37e800-9fec-4541-af8d-1b342a50e07c@gmail.com>
MIME-Version: 1.0
In-Reply-To: <7c37e800-9fec-4541-af8d-1b342a50e07c@gmail.com>
X-GND-State: clean
X-GND-Score: -85
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdejieellecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnegfrhhlucfvnfffucdludehmdenucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepofhitghhrggvlhcupfhivgguvghrmhgrhigvrhcuoehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgeqnecuggftrfgrthhtvghrnhepieffiedtleffffejkeffuedtgfdtffffudegueeivdelhfduhfffveehleektdffnecuffhomhgrihhnpehmihhtrhgvrdhorhhgnecukfhppeeguddrieeirdeijedruddufeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeijedruddufedphhgvlhhopehlohgtrghlhhhoshhtpdhmrghilhhfrhhomhepmhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhhfmhhpvghgqdguvghvvghlsehffhhmphgvghdrohhrgh
X-GND-Sasl: michael@niedermayer.cc
Subject: Re: [FFmpeg-devel] CVE #s security fixes and backports
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============8501112111414083380=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250223215822.GT4991@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============8501112111414083380==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="QXfSsRyumiSI+4YI"
Content-Disposition: inline


--QXfSsRyumiSI+4YI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi

On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote:
> On 2/23/2025 5:19 PM, Michael Niedermayer wrote:
> > Hi
> >=20
> > On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:
> > > On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
> > > > Hi
> > > >=20
> > > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
> > > > > Hi all
> > > > >=20
> > > > > Today ffmpeg-security was asked why 5 security fixes are missing =
in 6.1
> > > > > and from our security page.
> > > > >=20
> > > > > These issues where posted publically on trac, and fixed by FFmpeg=
 developers.
> > > > > Then someone seems to have registered CVE #s but not mailed ffmpe=
g-security
> > > > >=20
> > > > > I suggest
> > > > > 1. if you fix a security issue or apply a security fix, make sure=
 it is
> > > > > backported to all supported releases
> > > > > 2. if you see a CVE # thats not on the security page, mail ffmpeg=
-security
> > > > > 3. If you see issues on trac that seem important, please make sur=
e they
> > > > > are fixed and backported, having someone like carl who knew and m=
aintained
> > > > > all issues would be quite usefull
> > > >=20
> > > > 4. Someone should cross check
> > > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=3Dffmpeg and our s=
ecurity page
> > > > and backported fixes and backport missing fixes and fix unfixed iss=
ues.
> > >=20
> > > Why are there memory leaks with a CVE?
> >=20
> > a memory leak can be a denial of service
> >=20
> >=20
> > >=20
> > > Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only g=
it
> > > master.
> >=20
> > please add a entry to our security page stating that
>=20
> How? It doesn't apply to any release. It's CVE who should fix their
> description.

you can add "never affected a release" (theres already a similar one)


>=20
> Also, i consider it a bit premature to make a CVE for an issue that's only
> present in git master and was fixed immediately after it was reported to =
us.
> It wasn't realistically deployed anywhere and only pads the list.

The world is unlikely to delete a CVE# completely, but you can try.
Some pages will refer to the issue and if its not on our page people
will be confused

If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release
thats clear and thats the clarity the page is supposed to provide.

thx

[...]

--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued

--QXfSsRyumiSI+4YI
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZ7uZ/gAKCRBhHseHBAsP
q2UuAJ0aIchFlTWYnrKof+TlsX6R9icjDACfUTaCF4MZPkpc8lWTK8YBpQnCgj0=
=OI38
-----END PGP SIGNATURE-----

--QXfSsRyumiSI+4YI--

--===============8501112111414083380==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============8501112111414083380==--