[FFmpeg-user] 2.8.14 security updates
duff0097 at gmail.com
Wed May 16 01:25:56 EEST 2018
On Tue, May 15, 2018 at 4:46 PM, Carl Eugen Hoyos <ceffmpeg at gmail.com>
> 2018-05-15 22:02 GMT+02:00, Bryan Duff <duff0097 at gmail.com>:
> > Is 2.8.14 up-to-date as far as known security issues (e.g
> > CVE's) are concerned?
> 2.8 is still supported and gets security updates:
> Note that nearly no fixed FFmpeg security issue gets a CVE,
> so CVE's have limited relevance for FFmpeg.
OK, and the reason I'm using 2.8 is because that's as high as the el7
rpmfusion repo goes to.
> > Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that
> > mean that they only affect 3.x? If not and they affect 2.8.14, then
> > are a decent number that affect 2.8.14 (15 of them?)
> As said above, the number of CVE's has no relevance here,
> the number of fixed issues with possible security implications
> per release is approximately a magnitude bigger than the
> number of reported CVE's.
Yeah, I see quite a few commits from the OSS fuzzer.
> > For example, https://cve.mitre.org/cgi-bin/
> > has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is
> > not affected. Just trying to make sure.
> Could you elaborate what you want to know exactly?
> The issue in question was introduced after 2.8 was released but
> I wonder why you chose this example: This is a DOS, but valid
> files can easily be found that cause DOS for libavformat /
> libavcodec in a given environment, so you have to secure the
> libraries independently of our code to avoid DOS.
That example was that just a real world example that, based on how it's
worded, does not affect 2.8.x, so it wasn't backported to that branch.
As for DOS attacks - is that only relevant for streaming?
My usage is local (e.g making an animation from screenshots, or format
conversion). Any recommendations here? Is 2.8 alright? Anything on
hardening practices for FFmpeg?
> Carl Eugen
> ffmpeg-user mailing list
> ffmpeg-user at ffmpeg.org
> To unsubscribe, visit link above, or email
> ffmpeg-user-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-user