[MPlayer-dev-eng] my two cents
Reimar Döffinger
Reimar.Doeffinger at stud.uni-karlsruhe.de
Fri Aug 26 11:01:03 CEST 2005
Hi,
On Fri, Aug 26, 2005 at 04:38:39AM +0200, Sven Tantau wrote:
> as you are crying about my posting to full disclosure, I need to comment
> on this:
"Crying" is not the the right word IMHO. Also it is more the content
that we complain about than just the posting in itself.
Some things made it really look bad (and things difficult for us to make
a quick fix): the bad availability of the sample, saying "2 bytes strf
parameter" (it is not a parameter, it is a chunk, and it contains the
who WAVEFORMATEX structure in this case), pointing to
af_calc_insize_constrained as the source of the problem although it
seems it is not, and saying that ot gets overwritten in demuxer.c
although it seems to be in ad_pcm.c.
Though please check if
http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpcodecs/ad_pcm.c.diff?r1=1.18&r2=1.19
fixes it, to make sure we are talking about the same thing here.
> At first I applologise for not contacting the developers via private
> channel. I can explain this. I did not know that I have to do so. As
> there is not special security contact person; and from your guide lines:
>
> B.3. Where to report bugs
>
> Subscribe to the MPlayer-users mailing list:
> http://mplayerhq.hu/mailman/listinfo/mplayer-users and send your bug
> report to mailto:mplayer-users at mplayerhq.hu where you can discuss it.
What annoyed us here is that it was below what we expect from bug
reports: It didn't contain a sample file (sorry, but at least I don't
have filesharing programs around, and you didn't exactly say where to
look for it either), it did not contain MPlayer output, no gdb
backtrace, not even command line used to start MPlayer.
So even after becoming aware of it, that made it very difficult to
reproduce it as with CVS versions this happens very rarely.
And in my case I am still a modem user so no "quickly downloading" pre7.
> Ok.. I thought perhaps I should report this to the developer list...but:
>
> Welcome to the MPlayer-dev-eng at mplayerhq.hu mailing list! This is the
> list about MPlayer development. Do *N*O*T* send feature requests, bug
> reports, user or support questions here, you won't be welcomed then.
> These questions belong on the MPlayer-users list.
Hmm... maybe it should be clarified. You know, it's really hard to
convince people to send PEBKAC problems to the right list.
> Nobody has to follow your reporting guide lines.
Sure not, but I would object to the "vendor contacted" part of the
advisory since it didn't really reach us (I always find "vendor" very
weird in this context).
> As I cant expect you to support XY, you cant expect Z from me. But I can
> ask you. Why isnt there a mail in my inbox: 'We need more info!'...?
> (Until now..)
Well, I guess nobody really thought of the possibility. But also we were
busy fixing it after we heard about it.
> Btw: I asked for confirmation in my postings to your list and to full
> disclosure. In my opinion heise made the big deal of it... (Until I read
> your complains, I thought they checked all I said and I saw their story
> as confirmation.)
I guess nobody who knows heise is really shocked when they make a big
deal about it. But IMHO they should have stated that a MediaPlayer is
probably never something you should assume to be "safe to use". I am
certain there are a lot more holes in MPlayer.
I hope you can at least partially understand why we were quite annoyed
about all this.
Greetings,
Reimar Döffinger
More information about the MPlayer-dev-eng
mailing list