(thenewstack.io)

1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source

Show context

theoldgreybeard ◴[11 Nov 25 19:50 UTC] No.45891941[source]▶

The vulnerability in question is a Use After Free. Google used AI to find this bug, it would've taken them 3 seconds to fix it.

Burning cash to generate spam bug reports to burden volunteer projects when you have the extra cash to burn to just fix the damn issue leaves a very sour taste in my mouth.

replies(4): >>45892004 #>>45892129 #>>45892230 #>>45895702 #

V__ ◴[11 Nov 25 19:55 UTC] No.45892004[source]▶

>>45891941 #

Notably, the vulnerability is also in a part which isn't included by default and nobody uses. I'm not sure that even warrants a CVE? A simple bug report would have probably been fine. If they think this is really a CVE, a bug fix commit would have been warranted.

replies(6): >>45892046 #>>45892099 #>>45892116 #>>45892138 #>>45892310 #>>45898290 #

esrauch ◴[11 Nov 25 20:21 UTC] No.45892310[source]▶

>>45892004 #

One problem here is that CVE scoring is basically entirely bugged, something scored 8.7 could be an RCE exploit or a "may be able to waste CPU" issue.

That's the difference between "it may or may not be that there's someone who cares" versus "no one should be running this software anywhere in the general vicinity of untrusted inputs".

replies(2): >>45892472 #>>45892918 #

1. cestith ◴[11 Nov 25 20:35 UTC] No.45892472[source]▶

>>45892310 #

You’re right about scoring, at least largely. Let’s not conflate the CVE system and the CVSS system, though. They are related but distinct. CVE is just an identifier system.

↑

FFmpeg to Google: Fund us or stop sending bugs