From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 441874CAB9 for ; Mon, 24 Feb 2025 02:57:20 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8BA5068C89E; Mon, 24 Feb 2025 04:57:16 +0200 (EET) Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1CD8768C4DB for ; Mon, 24 Feb 2025 04:57:09 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 596B043427 for ; Mon, 24 Feb 2025 02:57:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1740365828; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=a/rdnH1fTZzBAdAuKTbKUrUfWkgfqobFuRhLIoxsx0w=; b=a2b9N4FwPHI2/7vYvUA0AbRrEZCpM3jtikz0ZwCTfwE8y9NQdmQGMgucYrwErPgbhkbrvp RD8311UCd/O8sOrtZMeLsZut7X9U96LSD73fOVAGNWn9zlrAscJKAtYGwMuMssVPDKc9Rg EgJonMTvFFuvRQX0uTDAuL7u3rBKfRH6E0wk0ke7AJtBQnt6/KdHruJv5oA0rWv2CmhQtK xcOrV04LXLonjiDwHJJGzou+wiU34ac9In1qBsRzTrlnDyY661pk5uLHZZ5A0kZOV3lC65 JMLkDiqrSHyiAYo4zeSjOuHI18aILiCJVHPLa4RLNKCqLUe++2il2WEOo+Ap2g== Date: Mon, 24 Feb 2025 03:57:07 +0100 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250224025707.GV4991@pb2> References: <20250223085635.GO4991@pb2> <20250223091236.GP4991@pb2> <22ec2abf-bff5-4a89-b1cc-3bf73f726c22@gmail.com> <20250223201933.GQ4991@pb2> <7c37e800-9fec-4541-af8d-1b342a50e07c@gmail.com> <20250223215822.GT4991@pb2> <726eddd7-51c3-4a68-b1a2-3263da19e7b2@gmail.com> MIME-Version: 1.0 In-Reply-To: <726eddd7-51c3-4a68-b1a2-3263da19e7b2@gmail.com> X-GND-State: clean X-GND-Score: -85 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdejjeeitdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnegfrhhlucfvnfffucdludehmdenucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepofhitghhrggvlhcupfhivgguvghrmhgrhigvrhcuoehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgeqnecuggftrfgrthhtvghrnhepieffiedtleffffejkeffuedtgfdtffffudegueeivdelhfduhfffveehleektdffnecuffhomhgrihhnpehmihhtrhgvrdhorhhgnecukfhppeeguddrieeirdeijedruddufeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeijedruddufedphhgvlhhopehlohgtrghlhhhoshhtpdhmrghilhhfrhhomhepmhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhhfmhhpvghgqdguvghvvghlsehffhhmphgvghdrohhrgh X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] CVE #s security fixes and backports X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============7767025854912440658==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============7767025854912440658== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="swqj0ZQYuqENG3T7" Content-Disposition: inline --swqj0ZQYuqENG3T7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi On Sun, Feb 23, 2025 at 07:00:47PM -0300, James Almer wrote: > On 2/23/2025 6:58 PM, Michael Niedermayer wrote: > > Hi > >=20 > > On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote: > > > On 2/23/2025 5:19 PM, Michael Niedermayer wrote: > > > > Hi > > > >=20 > > > > On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote: > > > > > On 2/23/2025 6:12 AM, Michael Niedermayer wrote: > > > > > > Hi > > > > > >=20 > > > > > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer w= rote: > > > > > > > Hi all > > > > > > >=20 > > > > > > > Today ffmpeg-security was asked why 5 security fixes are miss= ing in 6.1 > > > > > > > and from our security page. > > > > > > >=20 > > > > > > > These issues where posted publically on trac, and fixed by FF= mpeg developers. > > > > > > > Then someone seems to have registered CVE #s but not mailed f= fmpeg-security > > > > > > >=20 > > > > > > > I suggest > > > > > > > 1. if you fix a security issue or apply a security fix, make = sure it is > > > > > > > backported to all supported releases > > > > > > > 2. if you see a CVE # thats not on the security page, mail ff= mpeg-security > > > > > > > 3. If you see issues on trac that seem important, please make= sure they > > > > > > > are fixed and backported, having someone like carl who knew a= nd maintained > > > > > > > all issues would be quite usefull > > > > > >=20 > > > > > > 4. Someone should cross check > > > > > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=3Dffmpeg and o= ur security page > > > > > > and backported fixes and backport missing fixes and fix unfixed= issues. > > > > >=20 > > > > > Why are there memory leaks with a CVE? > > > >=20 > > > > a memory leak can be a denial of service > > > >=20 > > > >=20 > > > > >=20 > > > > > Also, CVE-2025-1373 is wrong, it doesn't apply to any release, on= ly git > > > > > master. > > > >=20 > > > > please add a entry to our security page stating that > > >=20 > > > How? It doesn't apply to any release. It's CVE who should fix their > > > description. > >=20 > > you can add "never affected a release" (theres already a similar one) > >=20 > >=20 > > >=20 > > > Also, i consider it a bit premature to make a CVE for an issue that's= only > > > present in git master and was fixed immediately after it was reported= to us. > > > It wasn't realistically deployed anywhere and only pads the list. > >=20 > > The world is unlikely to delete a CVE# completely, but you can try. > > Some pages will refer to the issue and if its not on our page people > > will be confused >=20 > I don't want to delete a CVE, i want them to not be created prematurely f= or > no gain... duplicate CVE# and non-CVE# are a thing. I also want that not to be. I remember that being also mentioned in mail between me and google security people MANY years ago. >=20 > >=20 > > If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release > > thats clear and thats the clarity the page is supposed to provide. >=20 > Sure, but it doesn't, and that's the problem. The description is complete= ly > made up. If a CVE has a nonsense description, you/we can try to report this or just mention it on our security page thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I do not agree with what you have to say, but I'll defend to the death your right to say it. -- Voltaire --swqj0ZQYuqENG3T7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZ7vf/wAKCRBhHseHBAsP q91TAKCUDxnbLzELWv0q8d7jsi6TnhPXQQCfVv3tASHTYJFnrFeTe+chdmZHCPw= =Iu7k -----END PGP SIGNATURE----- --swqj0ZQYuqENG3T7-- --===============7767025854912440658== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============7767025854912440658==--