[FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions
Michael Niedermayer
michael at niedermayer.cc
Fri Jan 24 00:35:42 EET 2025
Hi Kieran
On Thu, Jan 23, 2025 at 09:54:36PM +0000, Kieran Kunhya via ffmpeg-devel wrote:
> On Thu, 23 Jan 2025, 00:11 Michael Niedermayer, <michael at niedermayer.cc>
> wrote:
>
> > Hi Kieran
> >
> > On Wed, Jan 22, 2025 at 10:47:52PM +0000, Kieran Kunhya via ffmpeg-devel
> > wrote:
> > > On Wed, 22 Jan 2025, 20:36 Michael Niedermayer, <michael at niedermayer.cc>
> > > wrote:
> > >
> > > > This blocks disallowed extensions from probing
> > > > It also requires all available segments to have matching extensions to
> > the
> > > > format
> > > > mpegts is treated independent of the extension
> > > >
> > >
> > > Potentially this is a stupid question but what stops an attacker from
> > > faking the extension?
> >
> > How would he fake the extension ?
> >
> > The attacker generally wants to access a sensitive file, maybe one in
> > /etc or maybe .ssh with something like the tty demuxer / ansi decoder
> >
> > lets pick /etc/passwd as a specific example
> >
>
> Is there no control character they can use to fake the extension
> potentially?
If your question is, if theres a sequence of characters that gets interpreted
as an extension thats then not in the file that is being opened on one platform
Thats an interresting question, do you know of such a case ?
>
> As an aside, why is this CVE from 2023 being fixed now?
Because it was reported now
more precissely, IIRC alexander strasser reported it after seeing it on
https://bugzilla.redhat.com/show_bug.cgi?id=2334338
I then tried to contact Harvey Phillips of Amazon Element55
and once i got in contact with him looked into fixing the
issues ffmpeg was still vulnerable to.
Yes, some CVEs out there are not reported to ffmpeg-security
at the time they should have been.
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
It is dangerous to be right in matters on which the established authorities
are wrong. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250123/adb4ffbc/attachment.sig>
More information about the ffmpeg-devel
mailing list