From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id BD5DA4D849 for ; Mon, 2 Jun 2025 07:31:50 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 95D2F68DC16; Mon, 2 Jun 2025 10:31:46 +0300 (EEST) Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10olkn2017.outbound.protection.outlook.com [40.92.41.17]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 4A40168DBD2 for ; Mon, 2 Jun 2025 10:31:39 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=I/cPdSASR4x47oUVmVuu3gbU2VuVYraqGd6uJrLh/ie4nW1ddDk/ep11bY20klk9eIF12R7M0s4mByfFvRvgwLPsQsjCZ806RejrBMBb5HerbwXCOZJfgoY38XEj4lUSUW63qPsQtNlsnV9aVclj0+Ioz4nkraAYJOBhe1L6UWGkMh3027/PLCPi74X6GqhgF2fPjOcKtD20HPTq07jE49pLYU8DfItkvxQrxDa55uk/RiSUIsZGGppP2MtXFgbJ/FyoH6g/6HVX92VmDsMLzZ3Xj9DqYjUja9wgzL+C2Wj++yUdSykF3QELffa03t6UnZglL50q+APcqe1iufRMQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7ATdOzjKRMPmkbHGTDb//Te3s1iQVrmxZRmhBaf9RJM=; b=p4UhGVowLhuLV9WXDD4JRnEaLD+ofvwQy8k7e3yvB49AXOH58fVDt4J2CIaL9IaL1Be78GFNu1Afu/pvAuZKngZiLbblbJIyj/XIXCQH3zC3TAWvHXiHO1yendCvToKoF5rC5cvWkvUdp8TyG3JDzf/fr7ubvps5ag0dl6gXUlL263vysfMFdRsLt7tvM3AGHiTyOIMNCRtyuZrfrT3AWcUQtlnZBDXjvqY+6E5qbVvcg/ShZT6yfkPjqNEWdMdvy5tJA+PawSXh7p3gng/PPmUU1IViamKfu9lfAcr8G668Y3APxf9LUJSLuQhRV6n1jooWdeqjjy7udQU9k+EmwQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7ATdOzjKRMPmkbHGTDb//Te3s1iQVrmxZRmhBaf9RJM=; b=GkYXa3xSyrIMxJuRbDhohZl5Yu1WDEWMoIRZHkw5ku2Irbi0k3GmUWmFAzDsvD6RXiG+MjXZXMdKIe3Uv39v8qmdbcJGBGGXPfCzteSIWp5QXvxIg/J0Sj2LrCnJyLJ658F8av8twXRIkl6oVf+t4NSA+2j3sxHImNTLG8EvLn7yXQhE+MFTeE0tflC/mERnnTEcJbFL+Dzxg+Z6z99pj/F3TlrVtYzC+PQsXRL18BCXh9G0tdAbGqL/P6Wv6DlQOEWOhlIel4VHOiqrTCp1hQajJoNuPadZZx4Jj9kcvMWnEOyxhWmvNYyl5uoi5/gin2yuwWf3OlLlJyey8UG+yw== Received: from DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM (2603:10b6:8:b::20) by DM8P223MB0077.NAMP223.PROD.OUTLOOK.COM (2603:10b6:8:2::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8769.37; Mon, 2 Jun 2025 07:31:36 +0000 Received: from DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM ([fe80::bf09:8e9:b07f:98a7]) by DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM ([fe80::bf09:8e9:b07f:98a7%7]) with mapi id 15.20.8769.031; Mon, 2 Jun 2025 07:31:36 +0000 From: "softworkz ." To: FFmpeg development discussions and patches Thread-Topic: [FFmpeg-devel] The "bad" Patch Thread-Index: AdvP5A/caz+BEOrrT3qQ8MYT/a5IsAART39gAH2EmlAACiu0gAAA0nAwAAe5WoAARq2SwA== Date: Mon, 2 Jun 2025 07:31:35 +0000 Message-ID: References: <088d9dbd-3b74-4571-bf7d-463e174bbd8d@jkqxz.net> In-Reply-To: <088d9dbd-3b74-4571-bf7d-463e174bbd8d@jkqxz.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DM8P223MB0365:EE_|DM8P223MB0077:EE_ x-ms-office365-filtering-correlation-id: 1576ef51-3152-4a17-4a62-08dda1a7817c x-ms-exchange-slblob-mailprops: YfhX3sd/0TWgBGe20qB0V8beOAo9UaaxYI60lEbVr1eHfXXFxHLmLp6gSUrfpo00Rjo0rsismp+G6HzpF3aUvPMnczCHEe907Hr5ZlMxJqd+zBk0e2T9aAwxzLWULuFSTh6xcHWTAxQFgpOs1lW6iePeTkS0yad3Su+D9H3Zs06tMaZY3viyDUi+835KwBlHbRPCAzidI0O91VwrSoepDjm53u3bjGDYn3j2XpQ9Gg5l/1Zp8Rtq7/4k7Ja3gdRyux8NQciBnbYvILqN4ocxMfMjlKksR9eCHa0OD54vqe4Ij8uV97JyCaa+5qpysHhbWJWbeybAy1MveyKpOqIxUz+QX/M1SUwmYDYFuNC22SLDiKk+DzygaacCotr8iCfjMa9L5zf0Tf0Vo/Ac1QbowHPWPClgBt4LAkioSdRrrvxnl5IgqlJ2MfJXMinOF+vrftXT0LsPWAaAGgZ3tp+oHYBWcWA28WJx/AB/qHcAW85FouC3B5soR8iCa0O9arTWM3now9QH9g/1VqsYBYKqF7LZ/Rlqx/WAoV6xM4g22PmnAk/ImjNVkDkxWFjjZmq1i79gTdMFHmZshQF4YEQQ4imA5+uZg1RGhMujCL9YXJbXQfHld6Ir5hK+Rlp5aesRL4jT7ohWF5ykbGAYb1c4JfUXwT3C12ACukrrAVy8ixV8LamU3S3ncyBvAdsXR63FEypKmCgPbg0CRbMZqt92bLVo4AZhBabpyuuinfTOb/M26p0rxO/zMrJmlB535dp1rnLRSwvW99cv6FG0nD0FZnN64f2zCn7zbfHZLheYmkY= x-microsoft-antispam: BCL:0; ARA:14566002|8062599006|8060799009|7092599006|461199028|41001999006|15080799009|19110799006|3412199025|440099028|102099032|10035399007; x-microsoft-antispam-message-info: =?us-ascii?Q?bCf9oBFDH8+enOMW59m5/FC79pGjxWd36FGybiokkn/T3PLH8A84cco01yvQ?= =?us-ascii?Q?8KCICro7qRYSXR+j+rXesExlikpjXtFQaI+rSqs2YtShsUkWikl8I7mXg6mL?= =?us-ascii?Q?vxmLouLptHl4xeh63GTe/p4txOoKdVx6PWZ8u2BtmimKTrMpswieUByq6WSO?= =?us-ascii?Q?cFT48riTWK2XpMKngt88oWiXYJCX4TsREhcpMUa8qHxfkppIopqv2sY9a+17?= =?us-ascii?Q?AHguvP9VhorZ7ixjFKzrAYig1NadKBqCgvV2tL8WPrCs1JzM7oQBRwtoIj7c?= =?us-ascii?Q?gvVl4mGfgINF1rg12tB6xc6xZa4YVXMyxuA3asvjsAMb1O4F+NH+/4Y6dZ6y?= =?us-ascii?Q?yaQK44rzpujKzJ50BlG2WQdwXvq0ePQzjg2wn67eEyFGTj4jU1ikBaPNH6T1?= =?us-ascii?Q?KUNZPPslF4TrO4vF28hHymu4ouaHAm+NmZinadi9+mTQFHRxx/nFAv1irnnD?= =?us-ascii?Q?TQZcXxlR0tsH9DmAF8clZpZkEwqZppUAM50BEHAJAhW1EWlpOgIqy7ZEAypv?= =?us-ascii?Q?kW5rhAAVuOVml2gsKszLrbHIICNr2/KhSMV1N2HgT3iOm/A45sUe++3BE4PX?= =?us-ascii?Q?e2kz+1xWQJzn+GfsOVPLYwhNbnXm2thNl001hxcl4oikctUhzPaHz50SOVKL?= =?us-ascii?Q?GR3N/f20+HlBjQUES0UgcnkaIXwKQ+YP0BLWVcY9oGrv+o6LlLVB+fqOYyQ9?= =?us-ascii?Q?4F7tr/wRyXZINprLA13LSFBLnNNcv/HcNMqro1KnU0+U9yNP9TAHjDXwxhTt?= =?us-ascii?Q?7i0e3nCxOIpCPM31etGHlKgJZc5amAJNeomqMSCvMQn49B9ELndtDVe+7Ng0?= =?us-ascii?Q?Eg67BtGi6sB4cqr0DX3XCBWbjD2A5mO9B93dhbnJGaR62l/Hx9EZDKvCP40D?= =?us-ascii?Q?rVSeM9o9ld7Vxts81TtgRhai6SGqBTBx6dxUdF3Ng47JLoJ/BUrigzGOmQ19?= =?us-ascii?Q?+J3p/1880tIYzb5/agO7qhZ0fsHGTNvzj5/rlAFDaMEj0Kmyhq4Xaj0DcziH?= =?us-ascii?Q?0jo1UO9Wa+1QhGBJXKierk0n86WE3GpjaoqiCwPx989/Ye4+7JjYdGwdzlx1?= =?us-ascii?Q?l6zCC0bHy55jds35PAblrlj//FZTVGxMoNcP42QbFRnlq03BbGQO3iFLCmFr?= =?us-ascii?Q?jZr239C2BSS9asz3qeDEVKWLOKwpKGv2/bK9Qpjz+pyH9RKTMsTzyA/Zar2l?= =?us-ascii?Q?Q2fgpHiIBCclbSh4?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?TFw6+F8S4ZcaLTb0q5sPr5Qz2vewR66B3hBVay/6aw6FLgyuNSRTUCbLsuzD?= =?us-ascii?Q?PUcMp34q7n2tQct629sriIyrSZJDTlXSaA77YqQm0nzTfPMPPT9AtfRTTQ6H?= =?us-ascii?Q?UItyOTDr3re8wQHQjeUCCcU1hHP28OuoceDD/Jdarzdf9MIcIk707WXTp6vd?= =?us-ascii?Q?1C1Eslp4cnyfBiSoblNYX8MgTAM5YUttV7zgXj9ejVeOrEljAOrAR2RFP7XV?= =?us-ascii?Q?dQQS5K8upG7AvCsSkCZ4YfxbyREJzdx3MdfaUkanyZoXxTGV+i8ZZXe/zep8?= =?us-ascii?Q?IafwiwrRbkPGDPN+EvW6DPc5H0fuuZ6KHlibS6oXKoxm1j2eIWEItHf5lSsd?= =?us-ascii?Q?ATPwD0fr8jJZipiAAlIS5JNBf8DSa0JJOysbHTZGXN0gGcVTRfs4Zipx76Yw?= =?us-ascii?Q?dRrf929UKbd40pg/bq5aRfZZHWNmSZqXj4AxKftn6wYv3pOdb6SvFISaECnS?= =?us-ascii?Q?yhmXWuebxzTJ8et4Ii1bejR7+V4t54r723LmE9ThhbGX+aqfxQthAG6eepB5?= =?us-ascii?Q?XA2nUK1TC2Kay4vW08iqD61g5QBKoxaXYR6xw+yvJFW1Iv3mAgLY6/NT7miT?= =?us-ascii?Q?15MVeBnqpEtGBZWzfJrx9AUj5uw/8V52B0WJy7xS5cOFAhG27a27AdWIbR5q?= =?us-ascii?Q?nr8QIktufuGhqTlFn+lhPu9YyivBZ5Xcqgr4iXcpBt7THTVE2SW+ZxTmBNDE?= =?us-ascii?Q?CnHdOfArxu2fJE07e4PRYA4W5MO46ZE7vSt127iMQe4h1RoihiuiFYznQJqW?= =?us-ascii?Q?q02hfc9ulcIgfapQV8703vE/mBY7gwi60JkV1wRm1g2otjIMz5pIoyn9+jAz?= =?us-ascii?Q?1p/+KfRNLFQIUF6xpgbeq2ORUpVKcXRKRYgPZf+GBCYiuk+Ra3ulFlOGvDJf?= =?us-ascii?Q?rEHan2v+K12AeLaOHHbHe+yT72uUTO3Gl1HQxY+R3dKTIKG0bjp7sDneE5Iv?= =?us-ascii?Q?pNiWnnutFTMK/DzznacYTufpGVWwu6wEKZ7cwblusixRh+4Zf17CAq8BhYmU?= =?us-ascii?Q?QjKFL4+YLrofrCnEjzu9wuZokUhr3IidXcLOl/zO5cd6orRAlkEbqkc6cOde?= =?us-ascii?Q?Eg70ZdKIMr55CvmIfkqKhK0pHmvX5H0x1EEFzOntRbx6lQtNWol0Tio0qsqN?= =?us-ascii?Q?QXDtuOrW4EiMSLQqdUj6GNXnizD2FvZFkjxG48o2B5CqKghnkhoprDNBVd00?= =?us-ascii?Q?G9evrb3vkfR7RKo2sqrcGVHpAAQ3rvA7MOVQ9S7BV2YoGCdv0vLnrL9cGXg?= =?us-ascii?Q?=3D?= MIME-Version: 1.0 X-OriginatorOrg: sct-15-20-8534-20-msonline-outlook-c7cf3.templateTenant X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 1576ef51-3152-4a17-4a62-08dda1a7817c X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2025 07:31:36.0218 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8P223MB0077 Subject: Re: [FFmpeg-devel] The "bad" Patch X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: > -----Original Message----- > From: ffmpeg-devel On Behalf Of Mark > Thompson > Sent: Samstag, 31. Mai 2025 22:26 > To: ffmpeg-devel@ffmpeg.org > Subject: Re: [FFmpeg-devel] The "bad" Patch > Hi Mark, Here are my answers to the remaining points: > >> In reality, ffmpeg is often used on multi-user systems and called in > strange > >> ways from network services where many inputs are not trusted. > > > > None of such systems have xdg-open > > xdg-open is in most default install of Linux distributions (indeed, that's why > you use it), so I don't think it is a reasonable assumption that it would not > be there. xdg-open is part of the xdg-util package which is typically installed when there's a Desktop Environment or certain individual UI applications. It's normally not included in server, container or minimal installations. No need to argue that it's not a 100% reliable indication, but still good as one element of a group of indicators. > > - The file name is built from the local time with milliseconds. Pretty hard > to > > hit > > No, trivial to hit given that creating a file and watching whether it gets > touched (inotify) are very low cost operations. Just to reiterate (as I cut off above too close): An attacker would need to have access to the same system as the target user. It would need to - Create & Delete 1000 files per second or perform 1000 renames per second - This number is independent from the number of files ("window") that you keep at a time. You can't make that window too small, because the file name is created before the graph is built, so maybe 500 or 1000 to be safe The latter would provide a tolerance of 1 second. - Even when you use just 100 files at a time (covering 100ms), you still need to do 1000 create/rm or 1000 renames per second - The number of inotify instances is usually limited on systems, so you can only monitor the folder. - Monitoring a folder with 1000 or 2000 file changes per second with inotiy is no longer cheap (afaik), even when you limit the events by event mask - This has consequences and affects the system: - It creates 3.6 or 7.2 Millions of file system journal entries per hour (for a journalling fs) - Even though the files may have 0 bytes, this causes continuous disk activity and might affect other fs operations - I have no time to try it out, but especially on slow systems, this is probably well noticeable Anyway, that's all pointless due to the below: > > - In v2, a temp-directory specific to the current user is created. Other > users > > have no access > > Your new method does not work because the attacker could have created the > temporary directory (world-writeable) before the ffmpeg process does. Right, it should maybe call stat after creation, but due to the below, there's not much to achieve anyway. > > - The file is an html file which will be launched by a browser from file:/// > > url, means it is treated with extra safety and isolation. There's hardly > anything > > you could achieve these days from a local html page > > Is there some general citation for this? > > I would naively expect browsers to assign greater trust to local rather than > remote files and possibly allow some additional capabilities to scripts > running in them, but I admit I have no familiarity with this area so I may be > completely wrong. In fact, it's the other way round, contrary to what one would expect. On one side, there have been loads of exploits in this regard in the past, but in combination with other "security changes" that Chromium (and all browsers derived from it) have introduced over the years, I have gained the strong impression that Google are purposefully trying do this (at least also) to force more and more things move to the cloud. Content from local file urls is the least trusted origin in contemporary browsers. It has upset me too many times in the past years, that content from whichever malicious site is trusted more than content from the file system, just for having an SSL cert, which anybody can have these days. It's hardly possible anymore to view something from (non-ssl) servers in your local network when origins are mixed, and again, the hacked site with ssl is considered "secure" and local network machines (http) as "unsafe" and file urls even more. When you want to open an XML file from the file system which specifies an xslt stylesheet in the same folder - browsers don't load it anymore. But they load it when it's available from an https url. That's crazy, because locally, I can be sure that it doesn't change, but from a remote server, it can change at any time and is out of your control. Still they are calling this "secure" because it has ssl. Their latest nonsense is to restrict access to http hosts with private network IP addresses (sigh). > Some further thoughts on your new patch which you will undoubtably have > already considered: > * What happens if the system argument string exceeds the allowed command > argument length? This is not possible, because the maximum length is: /var/tmp/ffmpeg-4294967296/ffmpeg_graph_0000-00-00_00-00-00_000.htm > * What happens if /bin/sh is not bash? The command is not bash-specific, any Posix shell should do it. Tested with bash and dash. > * What happens if the attacker successfully contrives a transient out-of- > memory condition during any of the calls to av_bprintf()? (As they can do on > a shared machine.) The maximum length of the path is 68, and 110 for the command. The AVBPrints are stack-allocated and have something like 1kB, which should be more than sufficient for doing av_bprintf() without allocating additional memory. > (The Windows implementation is not changed and does not look robust, I assume > you have not revised it.) Correct - as said, it's all and only about the system() incovation. > > Many other CLI tools are launching browsers, so that's not really rocket > > science like you're trying to allude to. > > I agree. Rocketry seems to be generally reliable and successful when compared > to computer security, where people forever find new vulnerabilities in > supposedly secure and audited programs. > > I would hope that other CLI tools doing this have carefully documented the > circumstances in which they do so to ensure that they don't get used in cases > where it might cause problems. Git: Nope git web--browse --help git web--browse https://ffmpeg.org GitHub CLI: Nope https://cli.github.com/manual/gh_browse gh browse --repo ffmpeg/ffmpeg Neither are making a big thing out of it and the same applies to all other cases I had seen. Thanks, sw _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".