From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 0CDD04D83D for ; Mon, 2 Jun 2025 06:09:48 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id AD6A368DB9F; Mon, 2 Jun 2025 09:09:43 +0300 (EEST) Received: from NAM02-BN1-obe.outbound.protection.outlook.com (mail-bn1nam02olkn2102.outbound.protection.outlook.com [40.92.15.102]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 9475268DB02 for ; Mon, 2 Jun 2025 09:09:37 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=A9DDuzciPnNC15P16PNZ6xdl+++tJ4LP4kq7Ia6atVhmLoHi7c3uuTqf1zpXxf9q57wHctsC2QGltIYV9yMcQCehb44Oqe4eTZlyPilHZM8gMn9kFC1QXH58ZWjEsBkASUACsmCwNF++20SoaFlSVshArsyzI77B831yNCk+IZAIZOuJaApDG53k0JOAwsAY0ryCjiHnsbuRM8fNkkXIPlC9nNCj72s2g/xLb1L+J4SjlDzwOpPwBnBpgNzyjPOrQYhQjAD5yiffGAYoPRh/+zgKzjf2xZI9C3J/NZPnwmXMExYe66+qorzIdWzYLBcCtqw58SpHLG+Vhv0AWkbJKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=n8NowMUftB3UL6lI8hnOkSleYZJ1URKgx5uP1mMx3Eo=; b=A/cDKo053gBI4leIHNQ2xVX/vL3+QaAdQv4lt+OEC45SUY42fF9Jh6NLRMzLdPeGajgB6A5GS2Vq5rzIaLE5PDnnl/2FWVa37WxJ0FyZUQLsxJN/tHtSYkpuF4zQqBMbN7mSR5SlHXjvCewBP4FH8/2pbwyPWq22EWymSYiupSZwuRr2IlnKROX2ll6IskNw719dTMZErN9HeGVeXoRMoTXnA9H1rzpZPllD/V7CSsTSjYbcdNwPcX9gbz51yt6/mek/cRrw0qBvKajAInW0orHmJzLWXpVEqPcTDEgp4znThGkYhIdjVN603TJu/omCdkGNB+/63zf2lSaP/DiA3g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=n8NowMUftB3UL6lI8hnOkSleYZJ1URKgx5uP1mMx3Eo=; b=Bs2iAodaud6/saI5FHQGmTp4GZmxxxkNYQYpaSA231/O0VPndzq527E7gGOh3uU0Wrdlw5gN8O4s/PvFm93IgAS9Mrv4MAscOM6v6vAi/XSLBFg2KKwlX2Y1vq7i+VLRVSRm27UFnKW/Bt64L82PVsooElm9FTg+81Tr70K/PVx1ITTp4/YLqcgzSctapxshYSZdep5r+rhMPlqnMluOoS46tsNBEGnaw0eAHq9iHzI2XK81EjDTpot79xWJ+jLMbEbEYXU4Sc9ArEc8I+F4fVHWAJHnwHM95HR1a4JGW/VUPRCsK3UoZeNE+gTIbh5QLomIooLRI4SrQh+I8+CyXQ== Received: from DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM (2603:10b6:8:b::20) by BN0P223MB0024.NAMP223.PROD.OUTLOOK.COM (2603:10b6:408:15d::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8769.37; Mon, 2 Jun 2025 06:09:34 +0000 Received: from DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM ([fe80::bf09:8e9:b07f:98a7]) by DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM ([fe80::bf09:8e9:b07f:98a7%7]) with mapi id 15.20.8769.031; Mon, 2 Jun 2025 06:09:34 +0000 From: "softworkz ." To: FFmpeg development discussions and patches Thread-Topic: [FFmpeg-devel] The "bad" Patch Thread-Index: AdvP5A/caz+BEOrrT3qQ8MYT/a5IsAART39gAH2EmlAACiu0gAAA0nAwAAe5WoAACAoLgA== Date: Mon, 2 Jun 2025 06:09:34 +0000 Message-ID: References: <088d9dbd-3b74-4571-bf7d-463e174bbd8d@jkqxz.net> In-Reply-To: <088d9dbd-3b74-4571-bf7d-463e174bbd8d@jkqxz.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DM8P223MB0365:EE_|BN0P223MB0024:EE_ x-ms-office365-filtering-correlation-id: 37933cb7-1430-4547-6fb3-08dda19c0bfe x-ms-exchange-slblob-mailprops: q6Zzr5Fg03EY2hlTFOtJs5LWBOYfw1nKs3Itco8UTB22NsD8GHPSRMaQiG9Ah4dksIeJb3q7f4dj5K0HPkpehNHh+JEc50Qr+1GUsETurwAlmeuzi0JdApha1KnODA3WceyQhVJSRlcnU1A5FzKQeQ1v3Riern1CQeIlKvhQP8THhnDyOUEHTcrb8OeE99mH+VedikGneedm3XJ3YRjB5tyZHGEnJiUzXljpsUUkAuemV1MpF4g7wU3bWrdYFhyhL015EZV4mA+EEaJt1NaOBzEOP+KGpdCJuTV/giA54tDQs1vLO+lXHr2j7cqUOTDjEOZnpT/srlH/8Jx89xq4v/Nx9cV8xCVsqXkMYGzNuIEa2PI9EkqHg24SmWUBS0P8SUF54Zuc8QXkcwvYNinli1l2I1jSOJsbPl7WJPSm/4SYzfC9C0Pu9Y0GsPvT600wwyer0N3Vxlf2oZFqKQHrBcddHf4H0IjxyCfg2mg/XzKTuSmj7C61fcCYnNBjX/GtDX5sRKfqsZAh3WdvUf8GUwCxc01fhbiIN/JNMr97k4YnKvjWcPFx+m1tqaY8KWCYfTfMZS8lFJI1BFaC6vxGfE2hG0glW/1WbmAWUcyh377QnCcK9S5BtxwBDlYuIfSW4pQdYPDykYulOciRrOo/v8roxxCRieq6mntE/mZs7vX7ycP7Lx32Rogx83ZcWFZk x-microsoft-antispam: BCL:0; ARA:14566002|461199028|8062599006|7092599006|8060799009|12121999007|19110799006|15080799009|56899033|440099028|3412199025|102099032; x-microsoft-antispam-message-info: =?us-ascii?Q?H35BOKQAcSKpiazWkEfNB/mwAvrCZh3pPxQHhWEZk7aHrzBdMYalJNBzFFnO?= =?us-ascii?Q?qFFCrWFt7xZfsDAgflBrJUKvofRLZjER6nqD9UiMGbeEKKG/zBeeQrc/olal?= =?us-ascii?Q?0dPL/y0CEIMB396U6hgJ3ZfQ7iNXbrLqyXUnZNo2I184ujNR0bljlywJC7n2?= =?us-ascii?Q?XzDnviPn4UrFgUGbPCVJxxHY5eUHF9cJ0Asr3B/VNZY3Dr5hENv4nrH3DHJo?= =?us-ascii?Q?Jd1uir9FS7JXEdUAsNtW9M9EV95rdHdOeluokmtcvNavXHlEaLZWJUcL09sJ?= =?us-ascii?Q?J+r83VVdEP3zQcWfTWg2M5xUkPJYBIuKYlNLUBf9fnZoy96yV4q43U/o5qsL?= =?us-ascii?Q?9DbQ6c6/MsX69uAAIyKBvJ8eL6dHrwm94mocoDGGJXMTWNx/7yl8o/oi7zK6?= =?us-ascii?Q?vCvmdachZnRgub/KcibmfsxCmaeYRgBLYJZ5Wyj8codmditqbHPP/dBIkLNE?= =?us-ascii?Q?zrDik8OtCaZImP6G4ZMXFOkGQbdd+KPu9OO0G6/K41Xe9CGHPx8zNctalOEL?= =?us-ascii?Q?z1MsUF4Utyg7Y8fPXMXQNHzu6at498TJLan24ywrWGaK32ckaYWRE4JNZC0v?= =?us-ascii?Q?aWJFH+AkynSToZWZsqY5cW0n9x4SZj8dG7tgYu80vdKEs20zJfbCfDeHKeci?= =?us-ascii?Q?7Xs2rPnhk6RUaJPhpLGrgDOhRXgcXkQMXK+1J46S5rwC3Jf5X8dGc7d9HBml?= =?us-ascii?Q?fslbkIPYi6Hd2l6LgGvvcOd+RGb13WOdFHx5WZ56W+MGjfVA0N8vr0Cxst3c?= =?us-ascii?Q?kwUbvqQ9EyAK95+RIURe0dtgicEKGRm+AciM+P9KtiuBztbQRRM49rzzO8CD?= =?us-ascii?Q?MG3t6xCBWkkOsXsGq/utpTB/WQbtcXo6ig3hTDpc0Ig767ALoBMLu6zz2xMR?= =?us-ascii?Q?Gb0Hg5SCOCT7w4FSusvxkdQn3kiUqWBF9vajZZWOI667WWfsIpqblT15jNip?= =?us-ascii?Q?WCnKw4S1GL1JdBXJORrZBwMKyL4mcx4A2U5FmcmAZn9I37JEho4mLmUqkPFA?= =?us-ascii?Q?amtcszJ9GsrWcXoRhjhyDTeofBKBZyXCsIbzrHOGBZEGfks0ex5NTLdX7bU1?= =?us-ascii?Q?BEAS4Ir5UtYsNDgsX9oVnZ3uaWYn+FW2nSzmfdJFzyEEG30polba4rMW6ysn?= =?us-ascii?Q?vghPszUisq6nliGgzX24W89Oko2mxI5fQQ=3D=3D?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?8pG+3Cf+cNispzr6utTemkTRvtVCsKU8K+r299435Dd1FbcHkWjUiwsa5uEn?= =?us-ascii?Q?Z3pFh8lXdAs3KYwExoXcxHlKSjr8Cckmr1bk4sM6ccAjrzNqs7kxl7LXZENw?= =?us-ascii?Q?MJqwlR68pe6T5RZhLjmzkMTANC0nV55nGw4gkllCF4q0Vp3MaIZOfaPrPk7E?= =?us-ascii?Q?2Ev0iLBW9Qa1tbw9tpe/RX5djrcmuc0dyx7Bd/lsO04G3WZniuN7V56SitVU?= =?us-ascii?Q?KMp9FkNGFpwrXslvvDEdgEpQA09T5W8vO4Or074y5NbMg4bvJQ2hqB9e4Nml?= =?us-ascii?Q?uy1H68Z3/fNq4JjHL+O7E0yjgoTUMSRoazg1P2+pkXm7KfQxB3yjejyfpGb4?= =?us-ascii?Q?Df8lkQPkDFoWA1wHsh6O2TIN2uOKEi2MYbEFoCftXeZvqeJVnLKTOHJAtOrR?= =?us-ascii?Q?KPkllSw7m2fee42njtj1k9bNKQmq+Jgx+67chPtjmharvipC6BAPBhXt2nOM?= =?us-ascii?Q?TthHBW2aJPps6HB+tl6FxW8Fttwmup5B8WZywGaJ4j7eID3KCo2P3++zmn39?= =?us-ascii?Q?c6SQvnxPNn2J16cVrdI0HHjyCNAVrXiA2JyxSAauJJZD3DHnHGtc1Xy4rVDy?= =?us-ascii?Q?owGUgSHYZryoEZIkTr4QQL+cqnFVkIQAFku/GtpLz9AoTxu0iG52e0zZGXci?= =?us-ascii?Q?RuXC1VCilo6ODDs7PFE6zyIlHXZVr9ji/3fFGDWtriZjYMafL30XfsdyYc42?= =?us-ascii?Q?cLd2aqA0UcF1QKsXgpzyuZ4waC4THHqAu1vJDTXQxsCpuHloUB+7nz3vFTWT?= =?us-ascii?Q?l3kgh7zFXI8WO4B1Smxv+ecHaVdLID9Dz3Kb2KZ+tVGQxqlKVfGgfHi4zcQQ?= =?us-ascii?Q?Ykt5Dmyy3SRHVha52ebdB4RqH/xcxvwW5mWUR1Y/AoBjM5LPsNnTi1mYF9IO?= =?us-ascii?Q?+QkeatQwHlwho6aBi7BFc3OWkCfx/hfeRJMLTMChKG4mN9HXlfh88O8ranEU?= =?us-ascii?Q?Gc5xcGhmS+O0c0cOLvzW4h8auSdGJ7PdbEav8mIlbzXJD+AgjLCjf8p3Jw0F?= =?us-ascii?Q?Xws9WGN23I6dHee81xevbR4ZQXbqr+wuuYE78EUwgXAP5kTbTT4TTiWWHB65?= =?us-ascii?Q?6NV246wLu1eQDEIweqKMy8SgCdtUBrGkw+05VpIbqnsGz6K3SSLdIqbTPc2b?= =?us-ascii?Q?1qDjuReyM6e6dVEuCigfCfrpjpSUoJg5tD5Hjg/4MdeSccPc2Xirv1jkzde8?= =?us-ascii?Q?DbacW/fw48rjgl++Cml7vYW4lKmKPtedby79D21dsrMB8RWlJB+74ODUiNY?= =?us-ascii?Q?=3D?= MIME-Version: 1.0 X-OriginatorOrg: sct-15-20-8534-20-msonline-outlook-c7cf3.templateTenant X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 37933cb7-1430-4547-6fb3-08dda19c0bfe X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2025 06:09:34.4477 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P223MB0024 Subject: Re: [FFmpeg-devel] The "bad" Patch X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: > -----Original Message----- > From: ffmpeg-devel On Behalf Of Mark > Thompson > Sent: Samstag, 31. Mai 2025 22:26 > To: ffmpeg-devel@ffmpeg.org > Subject: Re: [FFmpeg-devel] The "bad" Patch > Hello Mark, (I've re-ordered some parts to unclutter the conversation) > It does not seem unreasonable for people to treat the appearance of a > vulnerable call to system() like seeing self-rolled cryptography: the > submitter is almost certainly either incompetent or malicious, and can be > safely ignored. That's great because this gets to the essence of what we're talking about and here I beg to differ: My point is that exactly this way of judgement you are describing is itself a sign of incompetence instead. This isn't meant to be a rhetoric or flaming statement. It follows from the simple and confirmed reasoning that hardly anybody would have recognized or objected when I would have included the internal implementation of system() instead. This invalidates the former in total. But "incompetence" was your word. I wouldn't call it like that because I do not want to insult anybody and I do not deem anybody here to be. Rather would I call it "lazy judgement", as that's what's happened: One said: "I've seen system()" And a choir started singing: "Bad, bad, revert, revert" - without looking at the code, without own judgement and consideration. (except yours and possibly others who didn't sing) > In some cases they may in fact be capable and benign Thanks for confirming this explicitly. > but it is up to the submitter to show when doing that that they understand > all of the issues and have properly dealt all of them. This code is what I had posted for review. I have sufficient experience with FFmpeg submissions to know that it is just stupid to work days on something where there's a chance to get rejected anyway, so it was done to be fairly safe but without specific effort on hardening. > You did not do this, and indeed your > implementation was easily exploited. Oh, how do you come to that idea? I have conceded that it's better not to rely on any environment variable - but what you've shown is not an exploit: $ export TMPDIR="'; rm -rf / ;'\\\\" $ ./ffmpeg -sg -i /dev/null -f null - as then you could do $ rm -rf / right away. A system (more precisely: user session) where an attacker has the ability to set arbitrary env variables to arbitrary values must already be considered as compromised. Setting variables like.. LD_PRELOAD, LD_LIBRARY_PATH, LD_AUDIT, PYTHONPATH PATH, SHELL, EDITOR, PAGER, SSH_ASKPASS, GIT_SSH LOCPATH, TERMINFO, ICONV_PATH, NODE_OPTIONS ..is more than enough for an attacker to get anywhere they want and without need to go through an FFmpeg feature Regarding realistic exploitability of this, we are talking about very specific niche cases like for example: - an attacker cannot set arbitrary env variables, but TMPDIR only - and they can control the FFmpeg command line that is executed When these things coincide, then it could be exploited. There are surely other variants, but in total still a very small attack surface (I'm excluding cases with arbitrary env manipulation, because FFmpeg/-sg is not needed for anything then). So, to conclude on this: "easily exploitable" => no way but still a valid point as I had already conceded. --- > My point here is really that I don't believe the security implications of the > patch were considered at all in the initial submission Like said above, I haven't spent extra time on this as I wasn't sure where it might go. The primary consideration for the initial submission was: How to execute? For Windows it was clear, but for Linux I had looked around how others are doing it. Where system was not used, there was always a lot of code involved, which made me afraid for two reasons: 1. I wasn't sure about the range of platform support - i.e. where to draw the lines between one or another implementation 2. I could already visualize the potential objections from others against so much process management code. Eventually, I looked at glibc's system() code, first the latest code using clone or clone3 which I hadn't seen much usages of in the wild, and then I went back to an earlier version (which matches my Ubuntu VM), and I realized that this is pretty much the same code that I'm seeing at other places where shell invocations are done. This seemed perfect to me: same procedure like others use, but with a single line of code. And that's how I knew that using system() is okay. I'm not a frequent Linux platform developer, so I didn't know that people would freak out about it, but I did my homework, which led to the weird situation that I could claim that system() isn't worse than what everybody else is doing while many others were acting like it would be even something that allows privileged execution. Such things can happen, but it should not happen in the way it did, combined with so much disrespect and everything that followed. In the latter regard - again - you have been a shiny exception, and highly appreciate that! PS: This is a perfect finish, so I'll respond to the details in a separate mail. Thank you, sw _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".