[FFmpeg-devel] CVE #s security fixes and backports
Michael Niedermayer
michael at niedermayer.cc
Sun Feb 23 22:19:33 EET 2025
Hi
On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:
> On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
> > Hi
> >
> > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
> > > Hi all
> > >
> > > Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
> > > and from our security page.
> > >
> > > These issues where posted publically on trac, and fixed by FFmpeg developers.
> > > Then someone seems to have registered CVE #s but not mailed ffmpeg-security
> > >
> > > I suggest
> > > 1. if you fix a security issue or apply a security fix, make sure it is
> > > backported to all supported releases
> > > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
> > > 3. If you see issues on trac that seem important, please make sure they
> > > are fixed and backported, having someone like carl who knew and maintained
> > > all issues would be quite usefull
> >
> > 4. Someone should cross check
> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
> > and backported fixes and backport missing fixes and fix unfixed issues.
>
> Why are there memory leaks with a CVE?
a memory leak can be a denial of service
>
> Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git
> master.
please add a entry to our security page stating that
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The difference between a dictatorship and a democracy is that every 4 years
the population together is allowed to provide 1 bit of input to the government.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250223/95cca08a/attachment.sig>
More information about the ffmpeg-devel
mailing list