Most active commenters
  • bawolff(4)
  • x0x0(3)

←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 12 comments | 01 Nov 25 20:59 UTC | HN request time: 0.001s | source | bottom
Show context
bawolff ◴[02 Nov 25 05:30 UTC] No.45788035[source]
I'm confused, on the bug report it is claimed ffmpeg fixed the issue, so presumably it was a valid issue. So what's the problem here? That it was a mere memory corruption bug and not an exploitable issue? Even still it seems reasonable that google reports bugs even if they aren't security issues and it seems reasonable to err on the side of memory cirruption being security relavent.

Edit: i guess its not even that, they are just bitter that they have to fix bugs in their own code??? Recieving vuln reports is a gift. If ffmpeg doesnt like it maybe google should just start practising full disclosure.

replies(2): >>45788153 #>>45788682 #
hitekker ◴[02 Nov 25 06:07 UTC] No.45788153[source]
Here's a better summary: ffmpeg is getting DDOS'd by AI generated security CVEs. Those CVEs currently have zero real-world impact; the "researchers" didn't even bother to write a patch/fix for their reports.

My hot-take: it's security theater drama. Burn-out maintainers on one side and wealthy corporate employees on the other.

replies(3): >>45788317 #>>45789790 #>>45793248 #
x0x0 ◴[02 Nov 25 06:49 UTC] No.45788317[source]
Even if they have real-world impact: ffmpeg is a volunteer project. With (ffmpeg -codecs | wc -l) 519 codecs. This will trivially exhaust available ffmpeg eng resources.
replies(1): >>45789774 #
haskellshill ◴[02 Nov 25 12:18 UTC] No.45789774[source]
There's no law that you have to fix all bug reports. Isn't it better for users and developers alike that they can see the problems of the project. If they don't have resources that's fine, it's not like they are charging money for their product. But why not be honest and not request people sweep bugs under the rug for fear of looking bad?
replies(2): >>45789948 #>>45795627 #
1. awakeasleep ◴[02 Nov 25 12:56 UTC] No.45789948[source]
Because it burns out developers and ruins the project. Its like how the treatment can be worse than the disease in medicine.

The CVEs get reported, then big corps automated systems start flagging all use of ffmpeg, the big corp security software stops builds and removes it from dev laptops, then frustrated big corp engineers start harassing the volunteers and soon its not worth volunteering anymore, and the project dies, and there was never a real world impact.

replies(1): >>45790544 #
2. ndiddy ◴[02 Nov 25 14:22 UTC] No.45790544[source]
My point of view is that the unpaid ffmpeg maintainers should stop playing along with the corporate "security researchers" and not prioritize a bug over everything else simply because it's a CVE. In this case, the "high priority CVE" is from a reverse-engineered codec a hobbyist wrote to decode video from 1990s LucasArts video games. I think it's unreasonable to expect the maintainers to drop everything to fix a bug in a codec that most people will never use. If the trillion-dollar companies sending AI-generated CVE reports care so strongly about getting them fixed ASAP, they should really be fixing them themselves.
replies(1): >>45790745 #
3. estimator7292 ◴[02 Nov 25 14:53 UTC] No.45790745[source]
You're completely missing the point.

The problem isn't that volunteer devs are harassed into work.

The problem is being harassed.

Whether or not you "care" or feel the need to do any work or accept responsibility, constant harassment will destroy anyone, even you.

replies(2): >>45791993 #>>45793257 #
4. ndiddy ◴[02 Nov 25 17:39 UTC] No.45791993{3}[source]
My hope is that if they started responding to CVE bug reports for hobby codecs with something like “This is a codec written by someone in his free time and intended to be used for preservation purposes. We do not support using this codec with untrusted input and may not implement a fix for this bug within the 90 day CVE timeline”, it would stop the harassment. The companies doing the CVE spam would either have to start fixing things themselves, contract someone to do so, or stop using ffmpeg due to all the scary CVEs getting flagged in whatever bullshit security compliance standard they use.
replies(1): >>45792790 #
5. phil21 ◴[02 Nov 25 19:38 UTC] No.45792790{4}[source]
It would not stop the harassment at all. These reports are effectively free for the originating organization to write using AI - and some low level junior looking for promotion within said org will be highly motivated to pump those metrics up come review time.

You’d have to basically blacklist these orgs from all bug reports and maybe open it up to a select few known trusted senior resources that care more about their personal reputation within the community vs. corporate politics.

6. bawolff ◴[02 Nov 25 20:42 UTC] No.45793257{3}[source]
Getting a polite bug report is not being harrased.
replies(2): >>45793650 #>>45795134 #
7. x0x0 ◴[02 Nov 25 21:34 UTC] No.45793650{4}[source]
Fix it or we publish exploit code is not far off.
replies(2): >>45793724 #>>45793898 #
8. nradov ◴[02 Nov 25 21:46 UTC] No.45793724{5}[source]
So let them publish exploit code. What's the problem?
9. bawolff ◴[02 Nov 25 22:14 UTC] No.45793898{5}[source]
Well either you care about security or you don't.

If you don't then your users should have the right know, so they can decide for themselves whether or not the risk is worth it.

Do you think that just because a project doesn't disclose something it goes away, or that if google can find the bug that much better funded groups like the NSA or malware vendors can't. Shoving things under the rug is the worst outcome.

replies(1): >>45794679 #
10. x0x0 ◴[03 Nov 25 00:25 UTC] No.45794679{6}[source]
What absolute nonsense. There's a gulf of difference between "there's no way 500+ codecs contributed mostly by unpaid hobbyists is robust to hostile input" and "here's working exploit code."
11. hitekker ◴[03 Nov 25 01:49 UTC] No.45795134{4}[source]
> This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2025-11-20 [https://issuetracker.google.com/issues/436510153]

Sounds like a threat to me. ffmpeg is a tiny team and Google is a goliath. Not to mention Google has used their AI to spam the same threat, about 8 times in the last few months https://ffmpeg.org/security.html

replies(1): >>45796567 #
12. bawolff ◴[03 Nov 25 07:09 UTC] No.45796567{5}[source]
Google is hardly the first people to come up with the notion of responsible disclosure. Whether you agree or not with the practise, the goal is to balance the needs of the maintainer with the needs of consumers. In practise such practises have massively boosted security of computer systems.

There is a lot of historical context with this sort of thing that has lead to systems like this that has nothing to do with google.

Besides google did not sign an NDA, they aren't under any obligation to keep anything secret. 90 days is a courtesy. They are fully within their rights to just publish their findings immediately if they felt like it.