[FFmpeg-devel] fuzzer and security issues

[FFmpeg-devel] fuzzer and security issues

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1032 bytes --]

Hi all

theres been a surge of new issues being reported in recent days.
And its affecting release schedule a bit

People having access to ffmpeg-security or ossfuzz, are welcome to
help with fixing them.
(general rule is check ML for the testcase filename, before working on a case
 or just ask me on IRC if iam working on a specific issue
 we will have to figure out how to best coordinate)

People who want to help but have no access, mail me or send me a private message on irc

thx

PS: people having access to ossfuzz but dont use it will be removed from ossfuzz

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] fuzzer and security issues

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1192 bytes --]

Hi

On Wed, Aug 06, 2025 at 12:36:24PM +0200, Michael Niedermayer wrote:
> Hi all
> 
> theres been a surge of new issues being reported in recent days.
> And its affecting release schedule a bit
> 
> People having access to ffmpeg-security or ossfuzz, are welcome to
> help with fixing them.
> (general rule is check ML for the testcase filename, before working on a case
>  or just ask me on IRC if iam working on a specific issue
>  we will have to figure out how to best coordinate)
> 
> People who want to help but have no access, mail me or send me a private message on irc

some statistics:

we have 17 open security vulnerabilities in ossfuzz
    from these several have fixes, one is in an external lib (libopus)

we have 57 open issues (not limited to security) in ossfuzz

Also the rate of new issues seems going up and there are also now
fully AI genrated reports, that is "google big sleep"

This continuous stream of security issues is a factor in the 8.0 release
being late.

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Some Animals are More Equal Than Others. - George Orwell's book Animal Farm

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".