Hi

On Sun, Feb 23, 2025 at 07:00:47PM -0300, James Almer wrote:
> On 2/23/2025 6:58 PM, Michael Niedermayer wrote:
> > Hi
> > 
> > On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote:
> > > On 2/23/2025 5:19 PM, Michael Niedermayer wrote:
> > > > Hi
> > > > 
> > > > On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:
> > > > > On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
> > > > > > Hi
> > > > > > 
> > > > > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
> > > > > > > Hi all
> > > > > > > 
> > > > > > > Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
> > > > > > > and from our security page.
> > > > > > > 
> > > > > > > These issues where posted publically on trac, and fixed by FFmpeg developers.
> > > > > > > Then someone seems to have registered CVE #s but not mailed ffmpeg-security
> > > > > > > 
> > > > > > > I suggest
> > > > > > > 1. if you fix a security issue or apply a security fix, make sure it is
> > > > > > > backported to all supported releases
> > > > > > > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
> > > > > > > 3. If you see issues on trac that seem important, please make sure they
> > > > > > > are fixed and backported, having someone like carl who knew and maintained
> > > > > > > all issues would be quite usefull
> > > > > > 
> > > > > > 4. Someone should cross check
> > > > > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
> > > > > > and backported fixes and backport missing fixes and fix unfixed issues.
> > > > > 
> > > > > Why are there memory leaks with a CVE?
> > > > 
> > > > a memory leak can be a denial of service
> > > > 
> > > > 
> > > > > 
> > > > > Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git
> > > > > master.
> > > > 
> > > > please add a entry to our security page stating that
> > > 
> > > How? It doesn't apply to any release. It's CVE who should fix their
> > > description.
> > 
> > you can add "never affected a release" (theres already a similar one)
> > 
> > 
> > > 
> > > Also, i consider it a bit premature to make a CVE for an issue that's only
> > > present in git master and was fixed immediately after it was reported to us.
> > > It wasn't realistically deployed anywhere and only pads the list.
> > 
> > The world is unlikely to delete a CVE# completely, but you can try.
> > Some pages will refer to the issue and if its not on our page people
> > will be confused
> 
> I don't want to delete a CVE, i want them to not be created prematurely for
> no gain...

duplicate CVE# and non-CVE# are a thing. I also want that not to be.
I remember that being also mentioned in mail between me and google security
people MANY years ago.


> 
> > 
> > If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release
> > thats clear and thats the clarity the page is supposed to provide.
> 
> Sure, but it doesn't, and that's the problem. The description is completely
> made up.

If a CVE has a nonsense description, you/we can try to report this or just
mention it on our security page

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire