On 2/23/2025 5:19 PM, Michael Niedermayer wrote:
> Hi
> 
> On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:
>> On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
>>> Hi
>>>
>>> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
>>>> Hi all
>>>>
>>>> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
>>>> and from our security page.
>>>>
>>>> These issues where posted publically on trac, and fixed by FFmpeg developers.
>>>> Then someone seems to have registered CVE #s but not mailed ffmpeg-security
>>>>
>>>> I suggest
>>>> 1. if you fix a security issue or apply a security fix, make sure it is
>>>> backported to all supported releases
>>>> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
>>>> 3. If you see issues on trac that seem important, please make sure they
>>>> are fixed and backported, having someone like carl who knew and maintained
>>>> all issues would be quite usefull
>>>
>>> 4. Someone should cross check
>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
>>> and backported fixes and backport missing fixes and fix unfixed issues.
>>
>> Why are there memory leaks with a CVE?
> 
> a memory leak can be a denial of service
> 
> 
>>
>> Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git
>> master.
> 
> please add a entry to our security page stating that

How? It doesn't apply to any release. It's CVE who should fix their 
description.

Also, i consider it a bit premature to make a CVE for an issue that's 
only present in git master and was fixed immediately after it was 
reported to us. It wasn't realistically deployed anywhere and only pads 
the list.