[FFmpeg-user] 2.8.14 security updates

Carl Eugen Hoyos ceffmpeg at gmail.com
Wed May 16 02:01:41 EEST 2018


2018-05-16 0:25 GMT+02:00, Bryan Duff <duff0097 at gmail.com>:
> On Tue, May 15, 2018 at 4:46 PM, Carl Eugen Hoyos wrote:

[...]

>> Could you elaborate what you want to know exactly?
>> The issue in question was introduced after 2.8 was released but
>> I wonder why you chose this example: This is a DOS, but valid
>> files can easily be found that cause DOS for libavformat /
>> libavcodec in a given environment, so you have to secure the
>> libraries independently of our code to avoid DOS.
>
> That example was that just a real world example that, based on how it's
> worded, does not affect 2.8.x, so it wasn't backported to that branch.

Not 100% sure if it counts as "real world example" especially as it
is "only" a DOS issue which is nothing out-of-the-ordinary for
FFmpeg.

> As for DOS attacks - is that only relevant for streaming?

I am not sure I understand the question but no, DOS is
always (security-) relevant although as said, it is possible
to use FFmpeg's libraries for DOS on a given system with
valid input files.

> My usage is local (e.g making an animation from
> screenshots, or format conversion).

> Any recommendations here?  Is 2.8 alright?

Same recommendation as always on this mailing list:
Except for security issues, only current FFmpeg git
head is supported.

> Anything on hardening practices for FFmpeg?

There is --toolchain=hardened (try not to copy various
other "recommendations", they are mostly meant to
produce slow binaries and at the same time try to
trigger gcc regressions, see the Gentoo FFmpeg bug
reports).

Carl Eugen


More information about the ffmpeg-user mailing list