From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] CVE #s security fixes and backports
Date: Mon, 24 Feb 2025 03:57:07 +0100
Message-ID: <20250224025707.GV4991@pb2> (raw)
In-Reply-To: <726eddd7-51c3-4a68-b1a2-3263da19e7b2@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 3407 bytes --]
Hi
On Sun, Feb 23, 2025 at 07:00:47PM -0300, James Almer wrote:
> On 2/23/2025 6:58 PM, Michael Niedermayer wrote:
> > Hi
> >
> > On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote:
> > > On 2/23/2025 5:19 PM, Michael Niedermayer wrote:
> > > > Hi
> > > >
> > > > On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:
> > > > > On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
> > > > > > Hi
> > > > > >
> > > > > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
> > > > > > > Hi all
> > > > > > >
> > > > > > > Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
> > > > > > > and from our security page.
> > > > > > >
> > > > > > > These issues where posted publically on trac, and fixed by FFmpeg developers.
> > > > > > > Then someone seems to have registered CVE #s but not mailed ffmpeg-security
> > > > > > >
> > > > > > > I suggest
> > > > > > > 1. if you fix a security issue or apply a security fix, make sure it is
> > > > > > > backported to all supported releases
> > > > > > > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
> > > > > > > 3. If you see issues on trac that seem important, please make sure they
> > > > > > > are fixed and backported, having someone like carl who knew and maintained
> > > > > > > all issues would be quite usefull
> > > > > >
> > > > > > 4. Someone should cross check
> > > > > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
> > > > > > and backported fixes and backport missing fixes and fix unfixed issues.
> > > > >
> > > > > Why are there memory leaks with a CVE?
> > > >
> > > > a memory leak can be a denial of service
> > > >
> > > >
> > > > >
> > > > > Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git
> > > > > master.
> > > >
> > > > please add a entry to our security page stating that
> > >
> > > How? It doesn't apply to any release. It's CVE who should fix their
> > > description.
> >
> > you can add "never affected a release" (theres already a similar one)
> >
> >
> > >
> > > Also, i consider it a bit premature to make a CVE for an issue that's only
> > > present in git master and was fixed immediately after it was reported to us.
> > > It wasn't realistically deployed anywhere and only pads the list.
> >
> > The world is unlikely to delete a CVE# completely, but you can try.
> > Some pages will refer to the issue and if its not on our page people
> > will be confused
>
> I don't want to delete a CVE, i want them to not be created prematurely for
> no gain...
duplicate CVE# and non-CVE# are a thing. I also want that not to be.
I remember that being also mentioned in mail between me and google security
people MANY years ago.
>
> >
> > If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release
> > thats clear and thats the clarity the page is supposed to provide.
>
> Sure, but it doesn't, and that's the problem. The description is completely
> made up.
If a CVE has a nonsense description, you/we can try to report this or just
mention it on our security page
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-02-24 2:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-23 8:56 Michael Niedermayer
2025-02-23 9:12 ` Michael Niedermayer
2025-02-23 15:41 ` James Almer
2025-02-23 20:19 ` Michael Niedermayer
2025-02-23 21:45 ` James Almer
2025-02-23 21:58 ` Michael Niedermayer
2025-02-23 22:00 ` James Almer
2025-02-24 2:57 ` Michael Niedermayer [this message]
2025-02-23 22:08 ` James Almer
2025-02-23 16:49 ` Rémi Denis-Courmont
2025-02-23 21:37 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250224025707.GV4991@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git