Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
* [FFmpeg-devel] CVE #s security fixes and backports
@ 2025-02-23  8:56 Michael Niedermayer
  2025-02-23  9:12 ` Michael Niedermayer
  0 siblings, 1 reply; 5+ messages in thread
From: Michael Niedermayer @ 2025-02-23  8:56 UTC (permalink / raw)
  To: FFmpeg development discussions and patches


[-- Attachment #1.1: Type: text/plain, Size: 874 bytes --]

Hi all

Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
and from our security page.

These issues where posted publically on trac, and fixed by FFmpeg developers.
Then someone seems to have registered CVE #s but not mailed ffmpeg-security

I suggest
1. if you fix a security issue or apply a security fix, make sure it is
backported to all supported releases
2. if you see a CVE # thats not on the security page, mail ffmpeg-security
3. If you see issues on trac that seem important, please make sure they
are fixed and backported, having someone like carl who knew and maintained
all issues would be quite usefull

thx

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I have never wished to cater to the crowd; for what I know they do not
approve, and what they approve I do not know. -- Epicurus

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports
  2025-02-23  8:56 [FFmpeg-devel] CVE #s security fixes and backports Michael Niedermayer
@ 2025-02-23  9:12 ` Michael Niedermayer
  2025-02-23 15:41   ` James Almer
  2025-02-23 16:49   ` Rémi Denis-Courmont
  0 siblings, 2 replies; 5+ messages in thread
From: Michael Niedermayer @ 2025-02-23  9:12 UTC (permalink / raw)
  To: FFmpeg development discussions and patches


[-- Attachment #1.1: Type: text/plain, Size: 1184 bytes --]

Hi

On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
> Hi all
> 
> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
> and from our security page.
> 
> These issues where posted publically on trac, and fixed by FFmpeg developers.
> Then someone seems to have registered CVE #s but not mailed ffmpeg-security
> 
> I suggest
> 1. if you fix a security issue or apply a security fix, make sure it is
> backported to all supported releases
> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
> 3. If you see issues on trac that seem important, please make sure they
> are fixed and backported, having someone like carl who knew and maintained
> all issues would be quite usefull

4. Someone should cross check
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
and backported fixes and backport missing fixes and fix unfixed issues.

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The smallest minority on earth is the individual. Those who deny 
individual rights cannot claim to be defenders of minorities. - Ayn Rand

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports
  2025-02-23  9:12 ` Michael Niedermayer
@ 2025-02-23 15:41   ` James Almer
  2025-02-23 20:19     ` Michael Niedermayer
  2025-02-23 16:49   ` Rémi Denis-Courmont
  1 sibling, 1 reply; 5+ messages in thread
From: James Almer @ 2025-02-23 15:41 UTC (permalink / raw)
  To: ffmpeg-devel


[-- Attachment #1.1.1: Type: text/plain, Size: 1456 bytes --]

On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
> Hi
> 
> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
>> Hi all
>>
>> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
>> and from our security page.
>>
>> These issues where posted publically on trac, and fixed by FFmpeg developers.
>> Then someone seems to have registered CVE #s but not mailed ffmpeg-security
>>
>> I suggest
>> 1. if you fix a security issue or apply a security fix, make sure it is
>> backported to all supported releases
>> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
>> 3. If you see issues on trac that seem important, please make sure they
>> are fixed and backported, having someone like carl who knew and maintained
>> all issues would be quite usefull
> 
> 4. Someone should cross check
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
> and backported fixes and backport missing fixes and fix unfixed issues.

Why are there memory leaks with a CVE?

Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git 
master.

> 
> thx
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports
  2025-02-23  9:12 ` Michael Niedermayer
  2025-02-23 15:41   ` James Almer
@ 2025-02-23 16:49   ` Rémi Denis-Courmont
  1 sibling, 0 replies; 5+ messages in thread
From: Rémi Denis-Courmont @ 2025-02-23 16:49 UTC (permalink / raw)
  To: FFmpeg development discussions and patches

Le sunnuntaina 23. helmikuuta 2025, 11.12.36 UTC+2 Michael Niedermayer a écrit 
:
> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
> > I suggest
> > 1. if you fix a security issue or apply a security fix, make sure it is
> > backported to all supported releases
> > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
> > 3. If you see issues on trac that seem important, please make sure they
> > are fixed and backported, having someone like carl who knew and maintained
> > all issues would be quite usefull
> 
> 4. Someone should cross check
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security
> page and backported fixes and backport missing fixes and fix unfixed
> issues.

I find these suggestions very agreeable... as long as someone else is 
responsible. Luckily, I am not on ffmpeg-security, so I have a rock-solid 
excuse.

IMO, whoever "asked (...) why 5 security fixes are missing in 6.1
and from our security page" should be respectfully informed that FFmpeg is a 
volunteer organisation and lacks the human resources to necessary track CVEs. 
It probably won't make any difference in the end, but I find it better to admit 
that we don't do what we don't do than to give false hopes.

-- 
Rémi Denis-Courmont
Villeneuve de Tapiola, ex-République finlandaise d´Uusimaa



_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports
  2025-02-23 15:41   ` James Almer
@ 2025-02-23 20:19     ` Michael Niedermayer
  0 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2025-02-23 20:19 UTC (permalink / raw)
  To: FFmpeg development discussions and patches


[-- Attachment #1.1: Type: text/plain, Size: 1649 bytes --]

Hi

On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:
> On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
> > Hi
> > 
> > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
> > > Hi all
> > > 
> > > Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
> > > and from our security page.
> > > 
> > > These issues where posted publically on trac, and fixed by FFmpeg developers.
> > > Then someone seems to have registered CVE #s but not mailed ffmpeg-security
> > > 
> > > I suggest
> > > 1. if you fix a security issue or apply a security fix, make sure it is
> > > backported to all supported releases
> > > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
> > > 3. If you see issues on trac that seem important, please make sure they
> > > are fixed and backported, having someone like carl who knew and maintained
> > > all issues would be quite usefull
> > 
> > 4. Someone should cross check
> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
> > and backported fixes and backport missing fixes and fix unfixed issues.
> 
> Why are there memory leaks with a CVE?

a memory leak can be a denial of service


> 
> Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git
> master.

please add a entry to our security page stating that

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The difference between a dictatorship and a democracy is that every 4 years
the population together is allowed to provide 1 bit of input to the government.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-02-23 20:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-02-23  8:56 [FFmpeg-devel] CVE #s security fixes and backports Michael Niedermayer
2025-02-23  9:12 ` Michael Niedermayer
2025-02-23 15:41   ` James Almer
2025-02-23 20:19     ` Michael Niedermayer
2025-02-23 16:49   ` Rémi Denis-Courmont

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git