(thenewstack.io)

1125 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source

Show context

theoldgreybeard ◴[11 Nov 25 19:50 UTC] No.45891941[source]▶

The vulnerability in question is a Use After Free. Google used AI to find this bug, it would've taken them 3 seconds to fix it.

Burning cash to generate spam bug reports to burden volunteer projects when you have the extra cash to burn to just fix the damn issue leaves a very sour taste in my mouth.

replies(4): >>45892004 #>>45892129 #>>45892230 #>>45895702 #

V__ ◴[11 Nov 25 19:55 UTC] No.45892004[source]▶

>>45891941 #

Notably, the vulnerability is also in a part which isn't included by default and nobody uses. I'm not sure that even warrants a CVE? A simple bug report would have probably been fine. If they think this is really a CVE, a bug fix commit would have been warranted.

replies(6): >>45892046 #>>45892099 #>>45892116 #>>45892138 #>>45892310 #>>45898290 #

1. oskarkk ◴[11 Nov 25 20:05 UTC] No.45892116[source]▶

>>45892004 #

It is included in most builds of ffmpeg, for example in most Linux packages or in Windows build linked to on ffmpeg.org that I use. But yeah, it's a very niche format that nobody uses.

↑

FFmpeg to Google: Fund us or stop sending bugs