FFmpeg dealing with a security researcher

(twitter.com)

104 points trollied | 1 comments | 01 Nov 25 20:59 UTC | HN request time: 0.219s | source

Show context

bawolff ◴[02 Nov 25 05:30 UTC] No.45788035[source]▶

I'm confused, on the bug report it is claimed ffmpeg fixed the issue, so presumably it was a valid issue. So what's the problem here? That it was a mere memory corruption bug and not an exploitable issue? Even still it seems reasonable that google reports bugs even if they aren't security issues and it seems reasonable to err on the side of memory cirruption being security relavent.

Edit: i guess its not even that, they are just bitter that they have to fix bugs in their own code??? Recieving vuln reports is a gift. If ffmpeg doesnt like it maybe google should just start practising full disclosure.

replies(2): >>45788153 #>>45788682 #

hitekker ◴[02 Nov 25 06:07 UTC] No.45788153[source]▶

>>45788035 #

Here's a better summary: ffmpeg is getting DDOS'd by AI generated security CVEs. Those CVEs currently have zero real-world impact; the "researchers" didn't even bother to write a patch/fix for their reports.

My hot-take: it's security theater drama. Burn-out maintainers on one side and wealthy corporate employees on the other.

replies(3): >>45788317 #>>45789790 #>>45793248 #

1. bawolff ◴[02 Nov 25 20:41 UTC] No.45793248[source]▶

>>45788153 #

This particular issue has a PoC to reproduce it. It seems very much that it would have real world impact

↑