[FFmpeg-devel] CVE #s security fixes and backports
James Almer
jamrial at gmail.com
Sun Feb 23 23:45:07 EET 2025
On 2/23/2025 5:19 PM, Michael Niedermayer wrote:
> Hi
>
> On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:
>> On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
>>> Hi
>>>
>>> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
>>>> Hi all
>>>>
>>>> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
>>>> and from our security page.
>>>>
>>>> These issues where posted publically on trac, and fixed by FFmpeg developers.
>>>> Then someone seems to have registered CVE #s but not mailed ffmpeg-security
>>>>
>>>> I suggest
>>>> 1. if you fix a security issue or apply a security fix, make sure it is
>>>> backported to all supported releases
>>>> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
>>>> 3. If you see issues on trac that seem important, please make sure they
>>>> are fixed and backported, having someone like carl who knew and maintained
>>>> all issues would be quite usefull
>>>
>>> 4. Someone should cross check
>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
>>> and backported fixes and backport missing fixes and fix unfixed issues.
>>
>> Why are there memory leaks with a CVE?
>
> a memory leak can be a denial of service
>
>
>>
>> Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git
>> master.
>
> please add a entry to our security page stating that
How? It doesn't apply to any release. It's CVE who should fix their
description.
Also, i consider it a bit premature to make a CVE for an issue that's
only present in git master and was fixed immediately after it was
reported to us. It wasn't realistically deployed anywhere and only pads
the list.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250223/751c2dee/attachment.sig>
More information about the ffmpeg-devel
mailing list