←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 10 comments | 11 Nov 25 18:32 UTC | HN request time: 0.352s | source | bottom
Show context
theoldgreybeard ◴[11 Nov 25 19:50 UTC] No.45891941[source]
The vulnerability in question is a Use After Free. Google used AI to find this bug, it would've taken them 3 seconds to fix it.

Burning cash to generate spam bug reports to burden volunteer projects when you have the extra cash to burn to just fix the damn issue leaves a very sour taste in my mouth.

replies(4): >>45892004 #>>45892129 #>>45892230 #>>45895702 #
1. V__ ◴[11 Nov 25 19:55 UTC] No.45892004[source]
Notably, the vulnerability is also in a part which isn't included by default and nobody uses. I'm not sure that even warrants a CVE? A simple bug report would have probably been fine. If they think this is really a CVE, a bug fix commit would have been warranted.
replies(6): >>45892046 #>>45892099 #>>45892116 #>>45892138 #>>45892310 #>>45898290 #
2. immibis ◴[11 Nov 25 20:00 UTC] No.45892046[source]
AIUI there's no such thing as "really a CVE". A CVE is merely a standardized identifier for a bug so you can call it "CVE-2025-XXXXX" rather than "that use-after-free Google found in ffmpeg with AI." It doesn't imply anything else about the bug, except that it may impact security. The Linux kernel assigns one to every bugfix that may impact security (which is most kernel bugs) to avoid controversy about whether they should be assigned.
3. dieortin ◴[11 Nov 25 20:04 UTC] No.45892099[source]
It is included by default
4. oskarkk ◴[11 Nov 25 20:05 UTC] No.45892116[source]
It is included in most builds of ffmpeg, for example in most Linux packages or in Windows build linked to on ffmpeg.org that I use. But yeah, it's a very niche format that nobody uses.
5. ◴[11 Nov 25 20:07 UTC] No.45892138[source]
6. esrauch ◴[11 Nov 25 20:21 UTC] No.45892310[source]
One problem here is that CVE scoring is basically entirely bugged, something scored 8.7 could be an RCE exploit or a "may be able to waste CPU" issue.

That's the difference between "it may or may not be that there's someone who cares" versus "no one should be running this software anywhere in the general vicinity of untrusted inputs".

replies(2): >>45892472 #>>45892918 #
7. cestith ◴[11 Nov 25 20:35 UTC] No.45892472[source]
You’re right about scoring, at least largely. Let’s not conflate the CVE system and the CVSS system, though. They are related but distinct. CVE is just an identifier system.
8. strictnein ◴[11 Nov 25 21:11 UTC] No.45892918[source]
> One problem here is that CVE scoring is basically entirely bugged, something scored 8.7 could be an RCE exploit or a "may be able to waste CPU" issue.

+100000

My favorite 8.x or higher CVEs are the ones where you would have to take untrusted user input, bypass all the standard ways to ingest and handle that type of data, and pass it into some internal function of a library. And then the end result is that a regex call becomes more expensive.

replies(1): >>45902170 #
9. walletdrainer ◴[12 Nov 25 09:55 UTC] No.45898290[source]
Not only is it included by default, but you can trigger this with a file that looks like a mp4 to the user.
10. Sohcahtoa82 ◴[12 Nov 25 16:32 UTC] No.45902170{3}[source]
If you think that's bad, you should look at Linux kernel CVEs. They're basically gone rogue when it comes to CVEs. Every minor bug gets flagged as a CVE, regardless of impact. Often, exploitation requires root access. If you have root, you've already won and can do whatever the hell you want. No need to exploit a bug to cause problems.