Most active commenters

    ←back to thread

    FFmpeg to Google: Fund us or stop sending bugs

    (thenewstack.io)
    1124 points CrankyBear | 17 comments | 11 Nov 25 18:32 UTC | HN request time: 0.399s | source | bottom
    1. JamesBarney ◴[11 Nov 25 19:11 UTC] No.45891454[source]
    I get the idea of publicly disclosing security issues to large well funded companies that need to be incentivized to fix them. But I think open source has a good argument that in terms of risk reward tradeoff, publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.
    replies(5): >>45891546 #>>45891615 #>>45892029 #>>45892122 #>>45898765 #
    2. Msurrow ◴[11 Nov 25 19:17 UTC] No.45891546[source]
    In addition to your point, it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days. The security issue should certainly be disclosed - when its responsible to do so.

    Now, if Google or whoever really feels like fixing fast is so important, then they could very well contribute by submitting a patch along with their issue report.

    Then everybody wins.

    replies(3): >>45891625 #>>45891932 #>>45895660 #
    3. Ygg2 ◴[11 Nov 25 19:22 UTC] No.45891615[source]
    > publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.

    Not publicly disclosing it also carries risk. Library users get wrong impression that library has no vulnerabilities, while numerous bugs are reported but don't appear due to FOSS policy.

    4. danlitt ◴[11 Nov 25 19:22 UTC] No.45891625[source]
    > it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days

    This is very far from obvious. If google doesn't feel like prioritising a critical issue, it remains irresponsible not to warn other users of the same library.

    replies(3): >>45891667 #>>45891696 #>>45892044 #
    5. Msurrow ◴[11 Nov 25 19:25 UTC] No.45891667{3}[source]
    If that’s the case why give the OSS project any time to fix at all before public disclosure? They should just publish immediately, no? Warn other users asap.
    replies(3): >>45892856 #>>45894143 #>>45895946 #
    6. foolswisdom ◴[11 Nov 25 19:28 UTC] No.45891696{3}[source]
    Part of the problem is that many of the issues are not really critical, no?
    7. derf_ ◴[11 Nov 25 19:50 UTC] No.45891932[source]
    > ...then they could very well contribute by submitting a patch along with their issue report.

    I don't want to discourage anyone from submitting patches, but that does not necessarily remove all (or even the bulk of) the work from the maintainers. As someone who has received numerous patches to multimedia libraries from security researchers, they still need review, they often have to be rewritten, and most importantly, the issue must be understood by someone with the appropriate domain knowledge and context to know if the patch merely papers over the symptoms or resolves the underlying issue, whether the solution breaks anything else, and whether or not there might be more, similar issues lurking. It is hard for someone not deeply involved in the project to do all of those things.

    8. phoronixrly ◴[11 Nov 25 19:58 UTC] No.45892029[source]
    You are missing the tiny little fact that apparently a large portion of infosec people are of the opinion that insecure software must not exist. At any cost. No shades of gray.
    9. afiori ◴[11 Nov 25 19:59 UTC] No.45892044{3}[source]
    Unless the maintainers are incompetent or uncooperative this does not feel like a good strategy. It is a good strategy on Google's side because it is easier for them to manage
    10. NobodyNada ◴[11 Nov 25 20:06 UTC] No.45892122[source]
    > publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.

    You can never be sure that you're the only one in the world that has discovered or will discover a vulnerability, especially if the vulnerability can be found by an LLM. If you keep a vulnerability a secret, then you're leaving open a known opportunity for criminals and spying governments to find a zero day, maybe even a decade from now.

    For this one in particular: AFAIK, since the codec is enabled by default, anyone who processes a maliciously crafted .mp4 file with ffmpeg is vulnerable. Being an open-source project, ffmpeg has no obligation to provide me secure software or to patch known vulnerabilities. But publicly disclosing those vulnerabilities means that I can take steps to protect myself (such as disabling this obscure niche codec that I'm literally never going to use), without any pressure on ffmpeg to do any work at all. The fact that ffmpeg commits themselves to fixing known vulnerabilities is commendable, and I appreciate them for that, but they're the ones volunteering to do that -- they don't owe it to anyone. Open-source maintainers always have the right to ignore a bug report; it's not an obligation to do work unless they make it one.

    Vulnerability research is itself a form of contribution to open source -- a highly specialized and much more expensive form of contribution than contributing code. FFmpeg has a point that companies should be better about funding and contributing to open-source projects that they rely on, but telling security researchers that their highly valuable contribution is not welcome because it's not enough is absurd, and is itself an example of making ridiculous demands for free work from a volunteer in the open-source community. It sends the message that white-hat security research is not welcome, which is a deterrent to future researchers from ethically finding and disclosing vulnerabilities in the future.

    As an FFmpeg user, I am better off in a world where Google disclosed this vulnerability -- regardless of whether they, FFmpeg, or anyone else wrote a patch -- because a vulnerability I know about is less dangerous than one I don't know about.

    11. danlitt ◴[11 Nov 25 21:07 UTC] No.45892856{4}[source]
    Why do you think it has to be all or nothing? They are both reasonable concerns. That's why reasonable disclosure windows are usually short but not zero.
    12. GabrielTFS ◴[11 Nov 25 23:06 UTC] No.45894143{4}[source]
    Full (immediate) disclosure, where no time is given to anyone to do anything before the vulnerability is publicly disclosed, was historically the default, yes. Coordinated vulnerability disclosure (or "responsible disclosure" as many call it) only exists because the security researchers that practice it believe it is a more effective way of minimizing how much the vulnerability might be exploited before it is fixed.
    13. tpmoney ◴[12 Nov 25 02:14 UTC] No.45895660[source]
    > In addition to your point, it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days.

    So when the xz backdoor was discovered, you think it would have been better to sit on that quietly and try to both wrest control of upstream away from the upstream maintainers and wait until all the downstream projects had reverted the changes in their copies before making that public? Personally I'm glad that went public early. Yes there is a tradeoff between speed of public disclosure and publicity for a vulnerability, but ultimately a vulnerability is a vulnerability and people are better off knowing there's a problem than hoping that only the good guys know about it. If a Debian bug starts tee-ing all my network traffic to the CCP and the NSA, I'd rather know about it before a patch is available, at least that way I can decide to shut down my Debian boxes.

    replies(1): >>45899159 #
    14. saagarjha ◴[12 Nov 25 02:59 UTC] No.45895946{4}[source]
    Because it gives maintainers a chance to fix the issue, which they’ll do if they feel it is a priority. Google does not decide your priorities for you, they just give you an option to make their report a priority if you so choose.
    15. arccy ◴[12 Nov 25 11:13 UTC] No.45898765[source]
    But if open source is reliant on public contributors to fix things, then the bug should be open so anyone can take a stab at fixing it, rather than relying on the closed group of maintainers
    16. Orygin ◴[12 Nov 25 12:07 UTC] No.45899159{3}[source]
    The XZ backdoor is not a bug but a malicious payload inserted by malicious actors. The security vulnerability would immediately been used as it was created by attackers.

    This bug is almost certainly too obscure to be found and exploited in the time the fix can be produced by Ffmpeg. On the other hand, this vuln being public so soon means any attacker is now free to develop their exploit before a fix is available.

    If Google's goal is security, this vulnerability should only be disclosed after it's fixed or a reasonable time (which, according to ffmpeg dev, 90 days is not enough because they receive too many reports by Google).

    replies(1): >>45908160 #
    17. tpmoney ◴[12 Nov 25 23:04 UTC] No.45908160{4}[source]
    A bug is a bug, regardless of the intent of the insertion. You have no idea if this bug was or wasn't intentionally inserted. It's of course very likely that it wasn't, but you don't and can't know that, especially given that malicious bug insertion is going to be designed to look innocent and have plausible deniability. Likewise, you don't know that the use of the XZ backdoor was imminent. For all you know the intent was to let it sit for a release or two, maybe with an eye towards waiting for it to appear in a particular down stream target, or just to make it harder to identify the source. Yes, just like it is unlikely that the ffmpeg bug was intentional, it's also unlikely the xz backdoor was intended to be a sleeper vulnerability.

    But ultimately that's my point. You as an individual do not know who else has access or information about the bug/vulnerability you have found, nor do you have any insight into how quickly they intend to exploit that if they do know about it. So the right thing to do when you find a vulnerability is to make it public so that people can begin mitigating it. Private disclosure periods exist because they recognize there is an inherent tradeoff and asymmetry in making the information public and having effective remediations. So the disclosure period attempts to strike a balance, taking the risk that the bug is known and being actively exploited for the benefit of closing the gap between public knowledge and remediation. But inherently it is a risk that the bug reporter and the project maintainers are forcing on other people, which is why the end goal must ALWAYS be public disclosure sooner rather than later.