[FFmpeg-devel] [rfc] ffmpeg security issue mailing list

Michael Niedermayer michael at niedermayer.cc
Thu Feb 9 17:07:53 EET 2017


On Thu, Feb 09, 2017 at 03:29:40PM +0100, Paul B Mahol wrote:
> On 2/9/17, Michael Niedermayer <michael at niedermayer.cc> wrote:
> > On Thu, Feb 09, 2017 at 08:25:43AM +0100, wm4 wrote:
> >> On Wed, 8 Feb 2017 22:07:24 +0100
> >> Michael Niedermayer <michael at niedermayer.cc> wrote:
> >>
> >> > Hi all
> >> >
> >> > On Sat, Aug 08, 2015 at 03:51:11AM +0200, Michael Niedermayer wrote:
> >> > > On Fri, Aug 07, 2015 at 07:46:55PM -0400, compn wrote:
> >> > > > hello,
> >> > > >
> >> > > > some of you know that we have a list for security / CVE issues.
> >> > > > some of you did not know this.
> >> > > >
> >> > > > i think it is a private list due to not wanting people to make
> >> > > > exploits
> >> > > > before we have a chance to fix them. of course, if no one is
> >> > > > subscribed
> >> > > > to review/fix issues then they will never get fixed.
> >> > > >
> >> > > > so if you are a regular developer who wants access to this list,
> >> > > > please
> >> > > > speak up.
> >> > > >
> >> > > > i do not run nor admin the security email/list (nor do i know who
> >> > > > does)
> >> > > > so please dont ask me questions about it.
> >> > >
> >> > > I guess, i "de facto" admin the security "email/list".
> >> > > if someone wants to help with security issues, mail me
> >> > >
> >> > > but there are no open security issues and if there was one i very
> >> > > likely would fix it ASAP
> >> >
> >> > A small update due to never? before seen interrest in ffmpeg-security
> >> > in the recent weeks/months
> >> >
> >> > How to get on the ffmpeg-security "list"
> >> >
> >> > People working on security in FFmpeg, thats maybe fixing many coverity
> >> > issues, backporingt fixes to releases, maintaining FFmpeg releases, ...
> >> > have an obsession with fixing bugs about undefined behavior or bugs
> >> > about crashes and race conditions on trac. Or an obsession with testing
> >> > every bugfix and who want and need access to ffmpeg-security should
> >> > be on ffmpeg-security
> >> > In short people on ffmpeg-security should need to be on ffmpeg-security
> >> > If you fall in this kind of category, please mail me
> >> >
> >> > Or someone who reviews commits and obtains CVE#s for everything that
> >> > could be exploitable ...
> >> >
> >> > I dont think we should give access to ffmpeg-security to everyone who
> >> > wants to be on the list. This is of course something the community
> >> > has to decide and not me, iam just err-ing on the safe side and am very
> >> > restrictive on who is added.
> >> >
> >> > About the content i must warn you the list is really not very
> >> > interresting as in trying to find together with debian someone at
> >> > chromium who knows what the CVEs they registered about FFmpeg actually
> >> > are about ... and then it embarassingly is a patch on ffmpeg-devel
> >> > that is stuck in review and not applied and now i can redo the releases
> >> > ...
> >> > ... Where are the people caring about security ? why did they not
> >> > pick these 2 public patches up, change what they felt needs changing
> >> > and pushed them ?
> >> > and there are the fuzz samples that need more than 20sec, these are
> >> > the main type of reported issue recently after ive succeeded to stop
> >> > the oom kind.
> >> >
> >> > Also there are no open security(*) issues i know of, and if there would
> >> > be i likely would fix them ASAP. Not saying that help is unwelcome
> >> > or that its impossible for me to make a mistake or miss something ...
> >> >
> >> > (*) I assume here that fuzz samples taking more than 20sec or integer
> >> > overflows in DSP code arent security issues. Iam working on fixing
> >> > these too but for this category there are open issues.
> >> >
> >> > PS: If you want access to the oss-fuzz reports, they all seem
> >> > automatically public 7 days after being fixed
> >> >
> >> > [...]
> >> >
> >>
> >> I'd like to get on the ffmpeg-security mailing list to review patches.
> >
> > Thats appreciated, though theres a problem, there rarely are patches
> > on that "list". Besides there is no mailing list this is just a mail
> > alias
> >
> > if i search for "~cffmpeg-security ~b\\+\\+\\+" i see only 54 matches
> > in the whole history of the list in my inbox most of which are
> > duplicates in quotes of replies
> > so maybe there were less than 20 patches ever posted to that list.
> > also patches tend to be CC-ed to developers knowing the code or commit
> > related to a issue, like ronald and james for the http fix in december
> > or paul and martin for the exr patch in august
> >
> > If the community wants me to add every FFmpeg maintainer who wants
> > to be on the alias, i can do that. But in the absence of a clear
> > community decission (poll/vote) on the inclusion criteria iam reluctant
> > to add anyone without a strong reason. There occasionally is
> > information or files posted that could be used in the construction of
> > an exploit prior to everyone updating, so the fewer addresses it is
> > sent to the better.
> 
> So others are sending CVE reports directly to you?

Not sure i understand the question.
Most security stuff is sent to the ffmpeg-security "list / alias",
there is occasional something that is sent to me directly.
Maybe some people trust me more than the alias i dont know.
Either way locally both end in my inbox, i dont have a seperate folder
for ffmpeg-security, i like havig it in my inbox so i see it asap
and dont miss it just because i dont look in a seperate "folder"

if you meant ~cffmpeg-security vs ~tffmpeg-security
there were only 10 matches for ~tffmpeg-security ~b\\+\\+\\+ 
so i quoted ~c

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No snowflake in an avalanche ever feels responsible. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170209/73bfa4ec/attachment.sig>


More information about the ffmpeg-devel mailing list