[FFmpeg-user] 2.8.14 security updates

Bryan Duff duff0097 at gmail.com
Wed May 16 01:25:56 EEST 2018


On Tue, May 15, 2018 at 4:46 PM, Carl Eugen Hoyos <ceffmpeg at gmail.com>
wrote:

> 2018-05-15 22:02 GMT+02:00, Bryan Duff <duff0097 at gmail.com>:
> > Is 2.8.14 up-to-date as far as known security issues (e.g
> > CVE's) are concerned?
>
> 2.8 is still supported and gets security updates:
> http://ffmpeg.org/download.html
> Note that nearly no fixed FFmpeg security issue gets a CVE,
> so CVE's have limited relevance for FFmpeg.
>

OK, and the reason I'm using 2.8 is because that's as high as the el7
rpmfusion repo goes to.


> > Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that
> > mean that they only affect 3.x?  If not and they affect 2.8.14, then
> there
> > are a decent number that affect 2.8.14 (15 of them?)
>
> As said above, the number of CVE's has no relevance here,
> the number of fixed issues with possible security implications
> per release is approximately a magnitude bigger than the
> number of reported CVE's.
>

Yeah, I see quite a few commits from the OSS fuzzer.


> > For example, https://cve.mitre.org/cgi-bin/
> cvename.cgi?name=CVE-2017-9608
> > has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is
> > not affected.  Just trying to make sure.
>
> Could you elaborate what you want to know exactly?
> The issue in question was introduced after 2.8 was released but
> I wonder why you chose this example: This is a DOS, but valid
> files can easily be found that cause DOS for libavformat /
> libavcodec in a given environment, so you have to secure the
> libraries independently of our code to avoid DOS.
>

That example was that just a real world example that, based on how it's
worded, does not affect 2.8.x, so it wasn't backported to that branch.

As for DOS attacks - is that only relevant for streaming?

My usage is local (e.g making an animation from screenshots, or format
conversion).  Any recommendations here?  Is 2.8 alright?  Anything on
hardening practices for FFmpeg?

Thanks.

-Bryan

>
> Carl Eugen
> _______________________________________________
> ffmpeg-user mailing list
> ffmpeg-user at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-user
>
> To unsubscribe, visit link above, or email
> ffmpeg-user-request at ffmpeg.org with subject "unsubscribe".
>


More information about the ffmpeg-user mailing list