Most active commenters
  • toast0(3)
  • tpmoney(3)
  • saagarjha(3)

←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 31 comments | 11 Nov 25 18:32 UTC | HN request time: 0.939s | source | bottom
Show context
woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]
I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.
replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #
Msurrow ◴[11 Nov 25 19:22 UTC] No.45891613[source]
My takeaway from the article was not that the report was a problem, but a change in approach from Google that they’d disclose publicly after X days, regardless of if the project had a chance to fix it.

To me its okay to “demand” from a for profit company (eg google) to fix an issue fast. Because they have ressources. But to “demand” that an oss project fix something with a certain (possibly tight) timeframe.. well I’m sure you better than me, that that’s not who volunteering works

replies(5): >>45891699 #>>45891755 #>>45891844 #>>45893088 #>>45898343 #
vadansky ◴[11 Nov 25 19:28 UTC] No.45891699[source]
On the other hand as an ffmpeg user do you care? Are you okay not being told a tool you're using has a vulnerability in it because the devs don't have time to fix it? I mean someone could already be using the vulnerability regardless of what Google does.
replies(9): >>45891756 #>>45891762 #>>45891975 #>>45892022 #>>45892359 #>>45892632 #>>45893251 #>>45895054 #>>45900572 #
1. afiori ◴[11 Nov 25 19:53 UTC] No.45891975[source]
This is a fantastic argument for the universe where Google does not disclose vulnerability until the maintainers had had reasonable time to fix it.

In this world the user is left vulnerable because attackers can use published vulnerabilities that the maintainers are to overwhelmed to fix

replies(3): >>45892177 #>>45892296 #>>45896986 #
2. esrauch ◴[11 Nov 25 20:10 UTC] No.45892177[source]
This program discloses security issues to the projects and only discloses them after they have had a "reasonable" chance to fix it though, and projects can request extensions before disclosure if projects plan to fix it but need more time.

Google runs this security program even on libraries they do not use at all, where it's not a demand, it's just whitehat security auditing. I don't see the meaningful difference between Google doing it and some guy with a blog doing it here.

replies(1): >>45893357 #
3. toast0 ◴[11 Nov 25 20:19 UTC] No.45892296[source]
The user is vulnerable while the problem is unfixed. Google publishing a vulnerability doesn't change the existence of the vulnerability. If Google can find it, so can others.

Making the vulnerability public makes it easy to find to exploit, but it also makes it easy to find to fix.

replies(4): >>45892602 #>>45892899 #>>45893864 #>>45895842 #
4. tremon ◴[11 Nov 25 20:47 UTC] No.45892602[source]
If it is so easy to fix, then why doesn't Google fix it? So far they've spent more effort in spreading knowledge about the vulnerability than fixing it, so I don't agree with your assessment that Google is not actively making the world worse here.
replies(1): >>45892728 #
5. toast0 ◴[11 Nov 25 20:57 UTC] No.45892728{3}[source]
I didn't say it was easy to fix. I said a publication made it easy to find it, if someone wanted to fix something.

If you want to fix up old codecs in ffmpeg for fun, would you rather have a list of known broken codecs and what they're doing wrong; or would you rather have to find a broken codec first.

6. nmz ◴[11 Nov 25 21:10 UTC] No.45892899[source]
> If Google can find it, so can others.

While true, Only Google has google infrastructure, this presupposes that 100% of all published exploits would be findable.

replies(1): >>45896697 #
7. XorNot ◴[11 Nov 25 21:49 UTC] No.45893357[source]
Google is a multi-billion dollar company, which is paying people to find these bugs in the first place.

That's a pretty core difference.

replies(2): >>45895309 #>>45895376 #
8. BobaFloutist ◴[11 Nov 25 22:39 UTC] No.45893864[source]
>If Google can find it, so can others.

What a strange sentence. Google can do a lot of things that nobody can do. The list of things that only Google, a handful of nation states, and a handful of Google-peers can do is probably even longer.

replies(2): >>45894096 #>>45896995 #
9. toast0 ◴[11 Nov 25 23:01 UTC] No.45894096{3}[source]
Sure, but running a fuzzer on ancient codecs isn't that special. I can't do it, but if I wanted to learn how, codecs would be a great place to start. (in fact, Google did some of their early fuzzing work in 2012-2014 on ffmpeg [1]) Media decoders have been the vector for how many zero interaction, high profile attacks lately? Media decoders were how many of the Macromedia Flash vulnerabilities? Codecs that haven't gotten any new media in decades but are enabled in default builds are a very good place to go looking for issues.

Google does have immense scale that makes some things easier. They can test and develop congestion control algorithms with world wide (ex-China) coverage. Only a handful of companies can do that; nation states probably can't. Google isn't all powerful either, they can't make Android updates really work even though it might be useful for them.

[1] https://security.googleblog.com/2014/01/ffmpeg-and-thousand-...

10. thevillagechief ◴[12 Nov 25 01:22 UTC] No.45895309{3}[source]
Corporate Social Responsibility? The assumption is that the work is good for end users. I don't know if that's the case for the maintainers though.
11. tpmoney ◴[12 Nov 25 01:30 UTC] No.45895376{3}[source]
Great, so Google is actively spending money on making open source projects better and more secure. And for some reason everyone is now mad at them for it because they didn't also spend additional money making patches themselves. We can absolutely wish and ask that they spend some money and resources on making those patches, but this whole thing feels like the message most corporations are going to take is "don't do anything to contribute to open source projects at all, because if you don't do it just right, they're going to drag you through the mud for it" rather than "submit more patches"
replies(3): >>45895606 #>>45897362 #>>45897419 #
12. khannn ◴[12 Nov 25 02:07 UTC] No.45895606{4}[source]
They're actively making open source projects less secure by publishing bugs that the projects don't have the volunteers to fix

I saw another poster say something about "buggy software". All software is buggy.

replies(2): >>45895793 #>>45896004 #
13. saagarjha ◴[12 Nov 25 02:36 UTC] No.45895793{5}[source]
Publishing bugs that the project has so that they can be fixed is actively making the project more secure. How is someone going to do anything about it if Google didn’t do the research?
replies(1): >>45895868 #
14. betaby ◴[12 Nov 25 02:42 UTC] No.45895842[source]
> If Google can find it, so can others.

Not really. It requires time, ergo money.

replies(1): >>45896692 #
15. khannn ◴[12 Nov 25 02:46 UTC] No.45895868{6}[source]
Did you see how the FFMPEG project patched a bug for a 1995 console? That's not a good use for the limited amount of volunteers on the project. It actively makes it less secure by taking away from more pertinent bugs.
replies(3): >>45896001 #>>45896653 #>>45898207 #
16. saagarjha ◴[12 Nov 25 03:07 UTC] No.45896001{7}[source]
Then they should mark it as low priority and put it in their backlog. I trust that the maintainers are good judges of what deserves their time.
replies(1): >>45897111 #
17. tpmoney ◴[12 Nov 25 03:07 UTC] No.45896004{5}[source]
The bug exists whether or not google publishes a public bug report. They are no more making the project less secure than if some retro-game enthusiast had found the same bug and made a blog post about it.
18. dodobirdlord ◴[12 Nov 25 05:24 UTC] No.45896653{7}[source]
The codec can be triggered to run automatically by adversarial input. The irrelevance of the format is itself irrelevant when ffmpeg has it on by default.
19. chii ◴[12 Nov 25 05:33 UTC] No.45896692{3}[source]
which bad actors would have more of, as they'd have a financial incentive to make use of the found vulnerabilities. White hats don't get anything in return (financially) - it's essentially charity work.
20. chii ◴[12 Nov 25 05:34 UTC] No.45896697{3}[source]
you'd assume that a bad actor would have found the exploit and kept it hidden for their own use. To assume otherwise is fundamentally flawed security practice.
21. om2 ◴[12 Nov 25 06:32 UTC] No.45896986[source]
In this world and the alternate universe both, attackers can also use _un_published vulnerabilities because they have high incentive to do research. Keeping a bug secret does not prevent it from existing or from being exploited.
22. om2 ◴[12 Nov 25 06:34 UTC] No.45896995{3}[source]
Nation-states are a very relevant part of the threat model.
23. XorNot ◴[12 Nov 25 06:56 UTC] No.45897111{8}[source]
Publicizing vulnerabilities is the problem though. Google is ensuring obscure or unknown vulnerabilities will now be very well known and very public.

This is significant when they represent one of the few entities on the planet likely able to find bugs at that scale due to their wealth.

So funding a swarm of bug reports, for software they benefit from, using a scale of resources not commonly available, while not contributing fixes and instead demanding timelines for disclosure, seems a lot more like they'd just like to drive people out of open source.

replies(1): >>45898444 #
24. troupo ◴[12 Nov 25 07:43 UTC] No.45897362{4}[source]
> so Google is actively spending money on making open source projects better and more secure

It looks like they are now starting to flood OSS with issues because "our AI tools are great", but don't want to spend a dime helping to fix those issues.

xkcd 2347

replies(1): >>45908186 #
25. samus ◴[12 Nov 25 07:50 UTC] No.45897419{4}[source]
Why should Google not be expected to also contribute fixes to a core dependency of their browser, or to help funding the developers? Just publishing bug reports by themselves does not make open source projects secure!
replies(1): >>45898103 #
26. walletdrainer ◴[12 Nov 25 09:26 UTC] No.45898103{5}[source]
Google does do that.

This bit of ffmpeg is not a Chrome dependency, and likely isn’t used in internal Google tools either.

> Just publishing bug reports by themselves does not make open source projects secure!

It does, especially when you first privately report them to the maintainers and give them a plenty of time to fix the bug.

replies(1): >>45898853 #
27. Dylan16807 ◴[12 Nov 25 09:41 UTC] No.45898207{7}[source]
If it was a rendering bug it would be a waste of time. But they also wouldn't have any pressure to fix it.

An exploit is different. It can affect anyone and is quite pertinent.

28. saagarjha ◴[12 Nov 25 10:18 UTC] No.45898444{9}[source]
I think most people learned about this bug from FFmpeg's actions, not Google's. Also, you are underestimating adversaries: Google spends quite a bit of money on this, but not a lot given their revenue, because their primary purpose is not finding security bugs. There are entities that are smaller than Google but derive almost all their money from finding exploits. Their results are broadly comparable but they are only publicized when they mess up.
29. Orygin ◴[12 Nov 25 11:26 UTC] No.45898853{6}[source]
It doesn't if you report lots of "security" issues (like this 25 years old bug) and give too little time to fix them.

Nobody is against Google reporting bugs, but they use automatic AI to spam them and then expect a prompt fix. If you can't expect the maintainers to fix the bug before disclosure, then it is a balancing act: Is the bug serious enough that users must be warned and avoid using the software? Will disclosing the bug now allow attackers to exploit it because no fix has been made?

In this case, this bug (imo) is not serious enough to warrant a short disclosure time, especially if you consider *other* security notices that may have a bigger impact. The chances of an attacker finding this on their own and exploiting it are low, but now everybody is aware and you have to rush to update.

replies(1): >>45899087 #
30. walletdrainer ◴[12 Nov 25 11:58 UTC] No.45899087{7}[source]
The timeline here is pretty long, and Google will provide an extension if you ask.

What do you believe would be an appropriate timeline?

>especially if you consider other security notices that may have a bigger impact.

This is a bug in the default config that is likely to result in RCE, it doesn’t get that much worse than this.

31. tpmoney ◴[12 Nov 25 23:07 UTC] No.45908186{5}[source]
According to the ffmpeg maintainer's own website (fflabs.eu) Google is spending plenty of dimes helping to fix issues in ffmpeg. Certainly they're spending enough dimes for the maintainers to proudly display Google's logo on their site as a customer of theirs.