[FFmpeg-devel] backport fixes for CVE-2019-9718 and CVE-2019-9721

Carl Eugen Hoyos ceffmpeg at gmail.com
Wed Mar 20 15:50:09 EET 2019


2019-03-20 12:08 GMT+01:00, Dominik 'Rathann' Mierzejewski
<dominik at greysector.net>:
> On Wednesday, 20 March 2019 at 00:48, Carl Eugen Hoyos wrote:
>> 2019-03-19 23:28 GMT+01:00, Dominik 'Rathann' Mierzejewski
>> <dominik at greysector.net>:
>>
>> > Were the CVE IDs not known at the time these were pushed to master?
>>
>> No, how would this be possible?
>
> Easy: you can request the ID at https://cveform.mitre.org/ before
> pushing the commits.

(Assuming "you" are FFmpeg developers)
I don't remember an FFmpeg developer requesting a CVE id.
Given the number of issues related to dos or undefined
behaviour that are fixed each week, this would probably be a
major task.

>> > Not having them in the commit log made it more difficult to find them.
>>
>> I thought the CVE's themselves contains the commits, no?
>
> They do, but looking at the commits only I wouldn't know there
> were CVE IDs associated with them, so the relation is one-way
> only. I would feel better if the commit log said a CVE ID was
> being fixed.

Unfortunately, this is not possible with the available man-power.

Carl Eugen


More information about the ffmpeg-devel mailing list