Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: Mark Thompson <sw@jkqxz.net>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] The "bad" Patch
Date: Sat, 31 May 2025 17:21:27 +0100
Message-ID: <dd70f1cd-284d-4e70-9eef-dc86ce4768b4@jkqxz.net> (raw)
In-Reply-To: <DM8P223MB036575864A9E6924CCC1A2B5BA60A@DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM>

On 31/05/2025 12:44, softworkz . wrote:
>> -----Original Message-----
>> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of softworkz .
>> Sent: Donnerstag, 29. Mai 2025 04:59
>> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
>> Subject: Re: [FFmpeg-devel] The "bad" Patch
> 
> 
> Two and a half days have passed and nobody has answered any of the questions
> from my previous post. This speaks for itself.
> 
> What really happened, is that some had seen my use of system() and 
> since this is commonly known as a "dangerous" API when not used carefully,
> they did lazy judgement without due diligence and without detailed 
> assessment.
> The judgement was based on commonplace knowledge instead: 
> system() => is-bad => patch is bad
> 
> 
> Looking at the specific case and way of usage (and how system() works
> internally) would have revealed that this doesn't apply here. 
> 
> => The patch was NOT bad at all
> => All review comments were addressed when it was pushed
> 
> (the second part is evident anyway)

The actions being taken in your patch (including but not limited to calling system()) were dangerous and the patch failed to prevent exploitation of the new features.

I think the point you are missing boils down to: what is the threat model of ffmpeg?

Your patch is built on the assumption that ffmpeg will only ever be run on single-user systems where many things can be trusted, but this is not the case.

In reality, ffmpeg is often used on multi-user systems and called in strange ways from network services where many inputs are not trusted.

In particular:
* ffmpeg cannot trust anything which does not come from a known-trusted source (in practice this means it can trust little beyond its own binary).
* ffmpeg must not assume that it is the only user on the system (anything which can be touched by another user at runtime may be modified).
* ffmpeg should not in general trust the environment (it may be launched from a service which has allowed nasty things to be injected into the environment), though this may be allowed in specific well-known cases.
* ffmpeg should not excessively trust its command-line arguments, as the caller may not have properly vetted them (in practice some nasty cases have to be allowed for the program to work at all).

The main thing that it must prevent is any sort of code execution in the context of the current user, whether that be binary code in the current process or by launching another process running code which came from an untrusted source.

Your patch was dangerous in at least the following ways:
* It interacts with temporary directories in unsafe ways.
* It trusts values coming from the environment.
* It runs a shell with arguments which could have come from an untrusted source.

The last one of those is completely unacceptable and I believe it lead people to reject the patch out of hand without considering anything else.

Some example exploits:
* Another user on a shared system observes the user of the common temporary directory.  They create a file with the predictable name before your code does, then manipulate its contents.  The command to open it then runs code under the attacker's control as the victim user.
* The attacker manipulates the environment to inject their own code into the call to system(), running shell commands as the victim user (I gave a specific example of this in a previous email).

This list is not exhaustive at all, so please do not treat it as a set of specific things to fix - there are very likely other paths for the attacker to achieve code execution in the context of the current user that I am not sufficiently clever to think of as the patch is not written in a secure and robust way.

More generally, I am unsure whether anyone here believes themselves competent to review a patch which securely and robustly performs these sorts of very dangerous actions (I do not believe myself to be), so in practice ffmpeg developers will prefer to never include any code which performs such actions.

Thanks,

- Mark

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

  reply	other threads:[~2025-05-31 16:21 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-28 15:24 softworkz .
2025-05-28 17:34 ` Rémi Denis-Courmont
2025-05-28 18:01   ` softworkz .
2025-05-28 18:09     ` softworkz .
2025-05-28 18:27 ` Marton Balint
2025-05-28 18:46   ` softworkz .
2025-05-29  2:59 ` softworkz .
2025-05-29  9:55   ` Nicolas George
2025-05-31 11:44   ` softworkz .
2025-05-31 16:21     ` Mark Thompson [this message]
2025-05-31 18:28       ` softworkz .
2025-05-31 20:26         ` Mark Thompson
2025-06-02  6:09           ` softworkz .
2025-06-02  7:31           ` softworkz .
2025-05-31 16:59     ` softworkz .
2025-05-31 17:34       ` softworkz .
2025-06-01 23:21         ` Michael Niedermayer
2025-06-01 23:51           ` softworkz .
2025-06-02  7:57           ` Nicolas George
2025-06-02  9:31             ` softworkz .
2025-06-02 10:18               ` softworkz .
2025-06-02 10:49                 ` Nicolas George
2025-06-02 19:30                   ` softworkz .
2025-06-02 21:26                   ` softworkz .
2025-06-02 19:34             ` Michael Niedermayer
2025-06-02 21:22               ` softworkz .
2025-06-03  1:06                 ` Michael Niedermayer
2025-06-01 23:56         ` softworkz .
2025-05-31 18:38       ` Kieran Kunhya via ffmpeg-devel
2025-05-29 14:43 ` Nicolas George
2025-05-30  3:42   ` softworkz .
2025-05-31 19:31 ` Leo Izen
2025-05-31 19:34   ` Marvin Scholz
2025-05-31 20:08   ` softworkz .
2025-05-31 20:13     ` softworkz .

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=dd70f1cd-284d-4e70-9eef-dc86ce4768b4@jkqxz.net \
    --to=sw@jkqxz.net \
    --cc=ffmpeg-devel@ffmpeg.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git