[FFmpeg-devel] [rfc] ffmpeg security issue mailing list

Michael Niedermayer michael at niedermayer.cc
Wed Feb 8 23:07:24 EET 2017


Hi all

On Sat, Aug 08, 2015 at 03:51:11AM +0200, Michael Niedermayer wrote:
> On Fri, Aug 07, 2015 at 07:46:55PM -0400, compn wrote:
> > hello,
> > 
> > some of you know that we have a list for security / CVE issues.
> > some of you did not know this.
> > 
> > i think it is a private list due to not wanting people to make exploits
> > before we have a chance to fix them. of course, if no one is subscribed
> > to review/fix issues then they will never get fixed.
> > 
> > so if you are a regular developer who wants access to this list, please
> > speak up.
> > 
> > i do not run nor admin the security email/list (nor do i know who does)
> > so please dont ask me questions about it.
> 
> I guess, i "de facto" admin the security "email/list".
> if someone wants to help with security issues, mail me
> 
> but there are no open security issues and if there was one i very
> likely would fix it ASAP

A small update due to never? before seen interrest in ffmpeg-security
in the recent weeks/months

How to get on the ffmpeg-security "list"

People working on security in FFmpeg, thats maybe fixing many coverity
issues, backporingt fixes to releases, maintaining FFmpeg releases, ...
have an obsession with fixing bugs about undefined behavior or bugs
about crashes and race conditions on trac. Or an obsession with testing
every bugfix and who want and need access to ffmpeg-security should
be on ffmpeg-security
In short people on ffmpeg-security should need to be on ffmpeg-security
If you fall in this kind of category, please mail me

Or someone who reviews commits and obtains CVE#s for everything that
could be exploitable ...

I dont think we should give access to ffmpeg-security to everyone who
wants to be on the list. This is of course something the community
has to decide and not me, iam just err-ing on the safe side and am very
restrictive on who is added.

About the content i must warn you the list is really not very
interresting as in trying to find together with debian someone at
chromium who knows what the CVEs they registered about FFmpeg actually
are about ... and then it embarassingly is a patch on ffmpeg-devel
that is stuck in review and not applied and now i can redo the releases ...
... Where are the people caring about security ? why did they not
pick these 2 public patches up, change what they felt needs changing
and pushed them ?
and there are the fuzz samples that need more than 20sec, these are
the main type of reported issue recently after ive succeeded to stop
the oom kind.

Also there are no open security(*) issues i know of, and if there would
be i likely would fix them ASAP. Not saying that help is unwelcome
or that its impossible for me to make a mistake or miss something ...

(*) I assume here that fuzz samples taking more than 20sec or integer
overflows in DSP code arent security issues. Iam working on fixing
these too but for this category there are open issues.

PS: If you want access to the oss-fuzz reports, they all seem
automatically public 7 days after being fixed

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you fake or manipulate statistics in a paper in physics you will never
get a job again.
If you fake or manipulate statistics in a paper in medicin you will get
a job for life at the pharma industry.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170208/41010d40/attachment.sig>


More information about the ffmpeg-devel mailing list