←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 1 comments | 01 Nov 25 20:59 UTC | HN request time: 0.201s | source
Show context
gnfargbl ◴[01 Nov 25 22:47 UTC] No.45786157[source]
FFmpeg seem to be taking the position that their code must be considered insecure in production unless you pay them for security consulting [1].

On the one hand, that's fine; it's their project, and if attack surface is not a priority for them, or they want to monetise that function, then nobody else has a right to complain.

On the other hand, we have plenty of evidence that untrusted input validation bugs pose a very high risk to end users. So, for as long as this is their policy, FFmpeg code really should not be included in any system where security is at all important. Perhaps we need a "fundamentally unsafe for use" sticker for OSS projects taking this stance?

[1] https://x.com/FFmpeg/status/1984425167070630289

replies(2): >>45786204 #>>45786234 #
1. vreg ◴[01 Nov 25 22:54 UTC] No.45786204[source]
All code should be considered potentially vulnerable, that's why we have so many layers of exploit mitigation from the compiler to the runtime environment to the overall design of the system the code is running in.