From: Oliver via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: "Rémi Denis-Courmont" <remi@remlab.net>,
"FFmpeg development discussions and patches"
<ffmpeg-devel@ffmpeg.org>
Cc: Oliver <oliver93721@gmail.com>
Subject: [FFmpeg-devel] Re: patch to disable SMUSH codec from autoselect
Date: Tue, 4 Nov 2025 18:35:18 +0800
Message-ID: <441f6b23-520d-40d3-a952-b3ea560e1658@gmail.com> (raw)
In-Reply-To: <06BDE1EF-6270-4C8F-B7E9-69398520A4AA@remlab.net>
Thank you for the quick response.
I had intended this as a medium-term fix to the referenced CVE that
Google found. In other words, SMUSH is specifically not secure. This
seems to be the most straightforward approach. It will prevent anyone
using auto-selection of the codec from being the victim of a malicious
payload while still allowing them to explicitly use SMUSH for
conversions if desired.
I had actually planned to add a new flag when I saw this mechanism
already existed for "experimental". I could add a new flag such as
"unsafe" or "pending_cve" or such and key off that as well in the same
place?
Or is it the position of ffmpeg that the SMUSH vulnerability should be
left in place until a full fix of the codec is made? Your @FFmpeg X
account made it sound like there would be no attempt to do this. But if
one is expected reasonably soon perhaps this is not a useful change anyway.
Best Regards,
Oliver
On 11/4/2025 5:56 PM, Rémi Denis-Courmont wrote:
> Hi,
>
> Experimental means part of an experiment. The SMUSH decoder might have qualified as experimental while it was being implemented (reverse engineered?), but not today.
>
> What it is is unsupported, but the same could be said of, well, essentially every codec in FFmpeg, as per the GPL/LGPL warranty disclaimer. SMUSH is also not formally proven secure, but again, the same could be said of every codecs (or almost) in FFmpeg as of today.
>
> The same argument that FFmpeg should disable game codecs or other "unsupported" was raised on Saturday at VDD. Though those discussions do not bind the FFmpeg project in any way, most people in the room seemed to agree that classifying the hundreds of codecs in such vague, variable and subjective wasn't viable.
>
> In other words, it's up to whoever compiles the software downstream to determine what they want to support and what they don't, IMO, not the FFmpeg project/community.
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
next prev parent reply other threads:[~2025-11-04 10:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-04 1:49 [FFmpeg-devel] " Oliver via ffmpeg-devel
2025-11-04 9:56 ` [FFmpeg-devel] " Rémi Denis-Courmont via ffmpeg-devel
2025-11-04 10:35 ` Oliver via ffmpeg-devel [this message]
2025-11-04 12:32 ` Kieran Kunhya via ffmpeg-devel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=441f6b23-520d-40d3-a952-b3ea560e1658@gmail.com \
--to=ffmpeg-devel@ffmpeg.org \
--cc=oliver93721@gmail.com \
--cc=remi@remlab.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git