[FFmpeg-devel] [rfc] ffmpeg security issue mailing list

wm4 nfxjfg at googlemail.com
Thu Feb 9 09:25:43 EET 2017


On Wed, 8 Feb 2017 22:07:24 +0100
Michael Niedermayer <michael at niedermayer.cc> wrote:

> Hi all
> 
> On Sat, Aug 08, 2015 at 03:51:11AM +0200, Michael Niedermayer wrote:
> > On Fri, Aug 07, 2015 at 07:46:55PM -0400, compn wrote:  
> > > hello,
> > > 
> > > some of you know that we have a list for security / CVE issues.
> > > some of you did not know this.
> > > 
> > > i think it is a private list due to not wanting people to make exploits
> > > before we have a chance to fix them. of course, if no one is subscribed
> > > to review/fix issues then they will never get fixed.
> > > 
> > > so if you are a regular developer who wants access to this list, please
> > > speak up.
> > > 
> > > i do not run nor admin the security email/list (nor do i know who does)
> > > so please dont ask me questions about it.  
> > 
> > I guess, i "de facto" admin the security "email/list".
> > if someone wants to help with security issues, mail me
> > 
> > but there are no open security issues and if there was one i very
> > likely would fix it ASAP  
> 
> A small update due to never? before seen interrest in ffmpeg-security
> in the recent weeks/months
> 
> How to get on the ffmpeg-security "list"
> 
> People working on security in FFmpeg, thats maybe fixing many coverity
> issues, backporingt fixes to releases, maintaining FFmpeg releases, ...
> have an obsession with fixing bugs about undefined behavior or bugs
> about crashes and race conditions on trac. Or an obsession with testing
> every bugfix and who want and need access to ffmpeg-security should
> be on ffmpeg-security
> In short people on ffmpeg-security should need to be on ffmpeg-security
> If you fall in this kind of category, please mail me
> 
> Or someone who reviews commits and obtains CVE#s for everything that
> could be exploitable ...
> 
> I dont think we should give access to ffmpeg-security to everyone who
> wants to be on the list. This is of course something the community
> has to decide and not me, iam just err-ing on the safe side and am very
> restrictive on who is added.
> 
> About the content i must warn you the list is really not very
> interresting as in trying to find together with debian someone at
> chromium who knows what the CVEs they registered about FFmpeg actually
> are about ... and then it embarassingly is a patch on ffmpeg-devel
> that is stuck in review and not applied and now i can redo the releases ...
> ... Where are the people caring about security ? why did they not
> pick these 2 public patches up, change what they felt needs changing
> and pushed them ?
> and there are the fuzz samples that need more than 20sec, these are
> the main type of reported issue recently after ive succeeded to stop
> the oom kind.
> 
> Also there are no open security(*) issues i know of, and if there would
> be i likely would fix them ASAP. Not saying that help is unwelcome
> or that its impossible for me to make a mistake or miss something ...
> 
> (*) I assume here that fuzz samples taking more than 20sec or integer
> overflows in DSP code arent security issues. Iam working on fixing
> these too but for this category there are open issues.
> 
> PS: If you want access to the oss-fuzz reports, they all seem
> automatically public 7 days after being fixed
> 
> [...]
> 

I'd like to get on the ffmpeg-security mailing list to review patches.

I've asked multiple times, but never received an answer.


More information about the ffmpeg-devel mailing list