(twitter.com)

104 points trollied | 4 comments | 01 Nov 25 20:59 UTC | HN request time: 0.21s | source

Show context

vqtska ◴[01 Nov 25 21:48 UTC] No.45785720[source]▶

I wonder if this vulnerable codec is enabled by default when building FFmpeg? Because if so, then it doesn't matter that it's a "1990s game codec" because any application using FFmpeg to accept arbitrary video files is vulnerable to memory corruption, which should probably be taken more seriously.

replies(4): >>45785760 #>>45785825 #>>45786027 #>>45786093 #

1. ls612 ◴[01 Nov 25 22:02 UTC] No.45785825[source]▶

>>45785720 #

It isn't even like this is without precedent, the FORCEDENTRY NSO kit used the shitty old JBIG2 parser that Apple was shipping as its entry point despite the fact that approximately nobody was legitimately using JBIG2 in iMessage.

replies(2): >>45788243 #>>45791112 #

2. ◴[02 Nov 25 06:33 UTC] No.45788243[source]▶

>>45785825 (TP) #

3. hulitu ◴[02 Nov 25 15:42 UTC] No.45791112[source]▶

>>45785825 (TP) #

> despite the fact that approximately nobody was legitimately using JBIG2 in iMessage.

Then why it has been enabled ? Asking for a friend. /s

Unless Apple, ffmpeg has a reason to enable old codecs. If you only need a subset: configure; make; make install

replies(1): >>45795869 #

4. astrange ◴[03 Nov 25 04:25 UTC] No.45795869[source]▶

>>45791112 #

> Then why it has been enabled ? Asking for a friend. /s

Because it's in the PDF spec, and you can't randomly disable parts of that.

↑

FFmpeg dealing with a security researcher