←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 1 comments | 01 Nov 25 20:59 UTC | HN request time: 0.208s | source
Show context
TheChaplain ◴[01 Nov 25 21:42 UTC] No.45785676[source]
The comments from the public.. Just wow we are doomed..

To explain, Googles vulnerability scanner found a problem in an obscure decoder for a 1990s game files (Lucasfilm Smush). Devs are not happy they get timewasting reports on stuff that rarely anyone ever uses except an exceptionally tiny group.

Then people start berating them without even knowing the full story...

replies(3): >>45785704 #>>45785787 #>>45786348 #
haskellshill ◴[01 Nov 25 23:11 UTC] No.45786348[source]
>rarely anyone ever uses

It's enabled by default so all that's required to exploit it would be to construct a payload file and name it movie.mp4

replies(1): >>45786470 #
defrost ◴[01 Nov 25 23:31 UTC] No.45786470[source]
If only Google had the ability to custom compile FFmpeg to only include robust mainstream codecs.

In such a would they might even handball submitted obscure codecs to a full build in a sandbox to track bleeding edge malware.

replies(2): >>45786561 #>>45789812 #
haskellshill ◴[02 Nov 25 12:25 UTC] No.45789812[source]
Right, they probably already mitigated this bug in their own usage. Which is exactly why reporting the bug is a FAVOR to ffmpeg. Would you rather they just quietly fix it on their own and not report it to the maintainers?
replies(2): >>45789870 #>>45792499 #
1. array_key_first ◴[02 Nov 25 18:54 UTC] No.45792499[source]
I would rather they fix it and submit a patch like normal fucking people.