From: "softworkz ." <softworkz-at-hotmail.com@ffmpeg.org>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] The "bad" Patch
Date: Mon, 2 Jun 2025 07:31:35 +0000
Message-ID: <DM8P223MB036563DE2FD7EDC15E96CDA8BA62A@DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <088d9dbd-3b74-4571-bf7d-463e174bbd8d@jkqxz.net>
> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of Mark
> Thompson
> Sent: Samstag, 31. Mai 2025 22:26
> To: ffmpeg-devel@ffmpeg.org
> Subject: Re: [FFmpeg-devel] The "bad" Patch
>
Hi Mark,
Here are my answers to the remaining points:
> >> In reality, ffmpeg is often used on multi-user systems and called in
> strange
> >> ways from network services where many inputs are not trusted.
> >
> > None of such systems have xdg-open
>
> xdg-open is in most default install of Linux distributions (indeed, that's why
> you use it), so I don't think it is a reasonable assumption that it would not
> be there.
xdg-open is part of the xdg-util package which is typically installed when
there's a Desktop Environment or certain individual UI applications.
It's normally not included in server, container or minimal installations.
No need to argue that it's not a 100% reliable indication, but still good
as one element of a group of indicators.
> > - The file name is built from the local time with milliseconds. Pretty hard
> to
> > hit
>
> No, trivial to hit given that creating a file and watching whether it gets
> touched (inotify) are very low cost operations.
Just to reiterate (as I cut off above too close): An attacker would need to
have access to the same system as the target user.
It would need to
- Create & Delete 1000 files per second
or perform 1000 renames per second
- This number is independent from the number of files ("window") that you
keep at a time. You can't make that window too small, because the file name
is created before the graph is built, so maybe 500 or 1000 to be safe
The latter would provide a tolerance of 1 second.
- Even when you use just 100 files at a time (covering 100ms), you still
need to do 1000 create/rm or 1000 renames per second
- The number of inotify instances is usually limited on systems, so
you can only monitor the folder.
- Monitoring a folder with 1000 or 2000 file changes per second with inotiy
is no longer cheap (afaik), even when you limit the events by event mask
- This has consequences and affects the system:
- It creates 3.6 or 7.2 Millions of file system journal entries per hour
(for a journalling fs)
- Even though the files may have 0 bytes, this causes continuous disk
activity and might affect other fs operations
- I have no time to try it out, but especially on slow systems, this
is probably well noticeable
Anyway, that's all pointless due to the below:
> > - In v2, a temp-directory specific to the current user is created. Other
> users
> > have no access
>
> Your new method does not work because the attacker could have created the
> temporary directory (world-writeable) before the ffmpeg process does.
Right, it should maybe call stat after creation, but due to the below, there's
not much to achieve anyway.
> > - The file is an html file which will be launched by a browser from file:///
> > url, means it is treated with extra safety and isolation. There's hardly
> anything
> > you could achieve these days from a local html page
>
> Is there some general citation for this?
>
> I would naively expect browsers to assign greater trust to local rather than
> remote files and possibly allow some additional capabilities to scripts
> running in them, but I admit I have no familiarity with this area so I may be
> completely wrong.
In fact, it's the other way round, contrary to what one would expect. On
one side, there have been loads of exploits in this regard in the past, but
in combination with other "security changes" that Chromium (and all browsers
derived from it) have introduced over the years, I have gained the strong
impression that Google are purposefully trying do this (at least also) to
force more and more things move to the cloud.
Content from local file urls is the least trusted origin in contemporary
browsers. It has upset me too many times in the past years, that content from
whichever malicious site is trusted more than content from the file system,
just for having an SSL cert, which anybody can have these days.
It's hardly possible anymore to view something from (non-ssl) servers in your
local network when origins are mixed, and again, the hacked site with ssl
is considered "secure" and local network machines (http) as "unsafe" and
file urls even more.
When you want to open an XML file from the file system which specifies an
xslt stylesheet in the same folder - browsers don't load it anymore.
But they load it when it's available from an https url. That's crazy,
because locally, I can be sure that it doesn't change, but from a remote
server, it can change at any time and is out of your control. Still they
are calling this "secure" because it has ssl.
Their latest nonsense is to restrict access to http hosts with private
network IP addresses (sigh).
> Some further thoughts on your new patch which you will undoubtably have
> already considered:
> * What happens if the system argument string exceeds the allowed command
> argument length?
This is not possible, because the maximum length is:
/var/tmp/ffmpeg-4294967296/ffmpeg_graph_0000-00-00_00-00-00_000.htm
> * What happens if /bin/sh is not bash?
The command is not bash-specific, any Posix shell should do it. Tested with
bash and dash.
> * What happens if the attacker successfully contrives a transient out-of-
> memory condition during any of the calls to av_bprintf()? (As they can do on
> a shared machine.)
The maximum length of the path is 68, and 110 for the command. The AVBPrints are
stack-allocated and have something like 1kB, which should be more than sufficient
for doing av_bprintf() without allocating additional memory.
> (The Windows implementation is not changed and does not look robust, I assume
> you have not revised it.)
Correct - as said, it's all and only about the system() incovation.
> > Many other CLI tools are launching browsers, so that's not really rocket
> > science like you're trying to allude to.
>
> I agree. Rocketry seems to be generally reliable and successful when compared
> to computer security, where people forever find new vulnerabilities in
> supposedly secure and audited programs.
>
> I would hope that other CLI tools doing this have carefully documented the
> circumstances in which they do so to ensure that they don't get used in cases
> where it might cause problems.
Git: Nope
git web--browse --help
git web--browse https://ffmpeg.org
GitHub CLI: Nope
https://cli.github.com/manual/gh_browse
gh browse --repo ffmpeg/ffmpeg
Neither are making a big thing out of it and the same applies to all other
cases I had seen.
Thanks,
sw
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-06-02 7:31 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-28 15:24 softworkz .
2025-05-28 17:34 ` RĂ©mi Denis-Courmont
2025-05-28 18:01 ` softworkz .
2025-05-28 18:09 ` softworkz .
2025-05-28 18:27 ` Marton Balint
2025-05-28 18:46 ` softworkz .
2025-05-29 2:59 ` softworkz .
2025-05-29 9:55 ` Nicolas George
2025-05-31 11:44 ` softworkz .
2025-05-31 16:21 ` Mark Thompson
2025-05-31 18:28 ` softworkz .
2025-05-31 20:26 ` Mark Thompson
2025-06-02 6:09 ` softworkz .
2025-06-02 7:31 ` softworkz . [this message]
2025-05-31 16:59 ` softworkz .
2025-05-31 17:34 ` softworkz .
2025-06-01 23:21 ` Michael Niedermayer
2025-06-01 23:51 ` softworkz .
2025-06-02 7:57 ` Nicolas George
2025-06-02 9:31 ` softworkz .
2025-06-02 10:18 ` softworkz .
2025-06-02 10:49 ` Nicolas George
2025-06-02 19:30 ` softworkz .
2025-06-02 21:26 ` softworkz .
2025-06-02 19:34 ` Michael Niedermayer
2025-06-02 21:22 ` softworkz .
2025-06-03 1:06 ` Michael Niedermayer
2025-06-01 23:56 ` softworkz .
2025-05-31 18:38 ` Kieran Kunhya via ffmpeg-devel
2025-05-29 14:43 ` Nicolas George
2025-05-30 3:42 ` softworkz .
2025-05-31 19:31 ` Leo Izen
2025-05-31 19:34 ` Marvin Scholz
2025-05-31 20:08 ` softworkz .
2025-05-31 20:13 ` softworkz .
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM8P223MB036563DE2FD7EDC15E96CDA8BA62A@DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM \
--to=softworkz-at-hotmail.com@ffmpeg.org \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git