←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 3 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source
Show context
woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]
I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.
replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #
Yokolos ◴[11 Nov 25 21:13 UTC] No.45892941[source]
I see you didn't read the article.

The problem isn't Google reporting vulnerabilities. It's Google using AI to find obscure bugs that affect 2 people on the planet, then making a CVE out of it, without putting any effort into fixing it themselves or funding the project. What are the ffmpeg maintainers supposed to do about this? It's a complete waste of everybody's time.

> The latest episode was sparked after a Google AI agent found an especially obscure bug in FFmpeg. How obscure? This “medium impact issue in ffmpeg,” which the FFmpeg developers did patch, is “an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.”

replies(4): >>45893950 #>>45895884 #>>45898422 #>>45899437 #
1. inkysigma ◴[11 Nov 25 22:47 UTC] No.45893950[source]
I don't think that's an accurate description of the full scope of the problem. The codec itself is mostly unused but the code path can possibly be triggered from file fuzzing that ffmpeg uses so a maliciously crafted payload (e.g. any run of ffmpeg that touches user input without disabling this codec) could possibly be exploited.
replies(1): >>45899451 #
2. seb1204 ◴[12 Nov 25 12:42 UTC] No.45899451[source]
Why does google simply build their own ffmpeg from source without the codec?
replies(1): >>45901506 #
3. woodruffw ◴[12 Nov 25 15:40 UTC] No.45901506[source]
They almost certainly do. But it's also in the public interest to responsibly disclose vulnerabilities in components that don't directly affect you.