Re: [FFmpeg-devel] CVE #s security fixes and backports

From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] CVE #s security fixes and backports
Date: Sun, 23 Feb 2025 19:00:47 -0300
Message-ID: <726eddd7-51c3-4a68-b1a2-3263da19e7b2@gmail.com> (raw)
In-Reply-To: <20250223215822.GT4991@pb2>

[-- Attachment #1.1.1: Type: text/plain, Size: 2555 bytes --]

On 2/23/2025 6:58 PM, Michael Niedermayer wrote:
> Hi
> 
> On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote:
>> On 2/23/2025 5:19 PM, Michael Niedermayer wrote:
>>> Hi
>>>
>>> On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:
>>>> On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
>>>>> Hi
>>>>>
>>>>> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
>>>>>> Hi all
>>>>>>
>>>>>> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
>>>>>> and from our security page.
>>>>>>
>>>>>> These issues where posted publically on trac, and fixed by FFmpeg developers.
>>>>>> Then someone seems to have registered CVE #s but not mailed ffmpeg-security
>>>>>>
>>>>>> I suggest
>>>>>> 1. if you fix a security issue or apply a security fix, make sure it is
>>>>>> backported to all supported releases
>>>>>> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
>>>>>> 3. If you see issues on trac that seem important, please make sure they
>>>>>> are fixed and backported, having someone like carl who knew and maintained
>>>>>> all issues would be quite usefull
>>>>>
>>>>> 4. Someone should cross check
>>>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
>>>>> and backported fixes and backport missing fixes and fix unfixed issues.
>>>>
>>>> Why are there memory leaks with a CVE?
>>>
>>> a memory leak can be a denial of service
>>>
>>>
>>>>
>>>> Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git
>>>> master.
>>>
>>> please add a entry to our security page stating that
>>
>> How? It doesn't apply to any release. It's CVE who should fix their
>> description.
> 
> you can add "never affected a release" (theres already a similar one)
> 
> 
>>
>> Also, i consider it a bit premature to make a CVE for an issue that's only
>> present in git master and was fixed immediately after it was reported to us.
>> It wasn't realistically deployed anywhere and only pads the list.
> 
> The world is unlikely to delete a CVE# completely, but you can try.
> Some pages will refer to the issue and if its not on our page people
> will be confused

I don't want to delete a CVE, i want them to not be created prematurely 
for no gain...

> 
> If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release
> thats clear and thats the clarity the page is supposed to provide.

Sure, but it doesn't, and that's the problem. The description is 
completely made up.

[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".