From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 2129342383
	for <ffmpegdev@gitmailbox.com>; Fri, 17 Dec 2021 20:54:24 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D8F0068AF01;
	Fri, 17 Dec 2021 22:54:21 +0200 (EET)
Received: from w4.tutanota.de (w4.tutanota.de [81.3.6.165])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6C164680B71
 for <ffmpeg-devel@ffmpeg.org>; Fri, 17 Dec 2021 22:54:15 +0200 (EET)
Received: from w3.tutanota.de (unknown [192.168.1.164])
 by w4.tutanota.de (Postfix) with ESMTP id 95482106014E
 for <ffmpeg-devel@ffmpeg.org>; Fri, 17 Dec 2021 20:54:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1639774454; 
 s=s1; d=lynne.ee;
 h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender;
 bh=SKszfVN1p68gK89YIOYSH0YxKlpjcMRz6Ch+u8pI47I=;
 b=uucJfHB14Tx5jzh7iu2cn8H1GhhZ5gBrj3NOXbDIAC+XHS8p18FSBrjg9JX2MXgc
 1eSEDuIX4vRc/JeGRyA64Pw8oA4n3H2Ia5nuJV7nGxfMu/T8Cmmsfs9aYw15Xm6UxOQ
 Fmd9qxs0KZVQQDMoVe9j8USeUiHnFImK1ALfo3Fx5giYoVPzheW1XheNkGlg3kswDmn
 seFG2Cixj7MLnvll3+VkeuZpD8UQuasNUv9I6lz4j4h/QEJ8l4LvPffTPxWk9vhIO/n
 yIjjR426wiC1u6A0Hfn1++Kw9kSr3qfV6cYx+pRU5+sCZiGWqV2aTPtfr4rnjWCcrow
 ovAVPsqjmQ==
Date: Fri, 17 Dec 2021 21:54:14 +0100 (CET)
From: Lynne <dev@lynne.ee>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <Mr9A74---3-2@lynne.ee>
In-Reply-To: <163975114109.13029.10142418833883066194@lain.red.khirnov.net>
References: <20211213054336.19783-1-pal@sandflow.com>
 <163947788654.13029.10298345109744593134@lain.red.khirnov.net>
 <CAF_7JxCxrb0fBNzH_nr=nv8qgHDgMLvAk8WFs7V5dnVfVT_ofA@mail.gmail.com>
 <163950889025.13443.18056291142265665105@lain.red.khirnov.net>
 <CAF_7JxCCye8oAdjvqtPY4aUMKmgfY6poa4NtyKw3X-OkCsfRmg@mail.gmail.com>
 <163959962513.13029.16441945709966296103@lain.red.khirnov.net>
 <CAF_7JxC7uLTL53bn7OA9G7H8brGAmPs-F89o4kz4KOBmMhh4CA@mail.gmail.com>
 <163975114109.13029.10142418833883066194@lain.red.khirnov.net>
MIME-Version: 1.0
Subject: Re: [FFmpeg-devel] [PATCH v10 1/2] avformat/imf: Demuxer
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/Mr9A74---3-2@lynne.ee/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Dec 17, 2021, 3:25 PM by anton@khirnov.net:

> Quoting Pierre-Anthony Lemieux (2021-12-15 21:41:25)
>
>> On Wed, Dec 15, 2021 at 12:20 PM Anton Khirnov <anton@khirnov.net> wrote:
>> >
>> > Quoting Pierre-Anthony Lemieux (2021-12-15 01:17:26)
>> > > >
>> > > > Now the question is whether a malicious attacker can craft those two
>> > > > files to get access to anything they shouldn't. I suppose at the very
>> > > > least the attacker can get information that the user opened the file (by
>> > > > adding an asset on an attacker's server) but that will be a danger with
>> > > > any playlists allowing network resources and can be controlled with
>> > > > io_open(). Can you think of any other possible issues?
>> > > >
>> > >
>> > > Some security considerations:
>> > >
>> > > - a DDoS can conceivably occur if a malicious CPL+ASSETMAP is widely
>> > > distributed. Both an ASSETMAP and a CPL are required since (a) the CPL
>> > > does not contain paths/hyperlinks and (b) only those resources
>> > > referenced by the CPL are fetched using the ASSETMAP.
>> > > - the CPL uses XML, which has its own security considerations. For
>> > > example, XML parsing can result in entities being fetched over the
>> > > network, but this is disabled by default in libxml AFAIK.
>> >
>> > This is concerning. From a brief glance at libxml2, it seems that you
>> > need to pass XML_PARSE_NONET as the last parameter to xmlReadMemory() to
>> > actually disabling network fetching.
>> > But it is possible I'm misreading the code, so if you or anyone else
>> > understands this better then clarifications are welcome.
>>
>> I was referring to entity expansion and the loading of DTDs being
>> disabled by default -- see XML_PARSE_NOENT and XML_PARSE_DTDLOAD at
>> [1-2].
>>
>
> Okay then. If nobody has further comments, I will push your latest patch
> in a few days.
>

I think this shouldn't get merged into 5.0. It would get minimal amount
of fuzzing if it does now, so let's leave it for a later release?
I'd still like to see libuuid being used, we have several uses for it already.

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".