[FFmpeg-user] 2.8.14 security updates

Bryan Duff duff0097 at gmail.com
Wed May 16 01:25:56 EEST 2018

On Tue, May 15, 2018 at 4:46 PM, Carl Eugen Hoyos <ceffmpeg at gmail.com>

> 2018-05-15 22:02 GMT+02:00, Bryan Duff <duff0097 at gmail.com>:
> > Is 2.8.14 up-to-date as far as known security issues (e.g
> > CVE's) are concerned?
> 2.8 is still supported and gets security updates:
> http://ffmpeg.org/download.html
> Note that nearly no fixed FFmpeg security issue gets a CVE,
> so CVE's have limited relevance for FFmpeg.

OK, and the reason I'm using 2.8 is because that's as high as the el7
rpmfusion repo goes to.

> > Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that
> > mean that they only affect 3.x?  If not and they affect 2.8.14, then
> there
> > are a decent number that affect 2.8.14 (15 of them?)
> As said above, the number of CVE's has no relevance here,
> the number of fixed issues with possible security implications
> per release is approximately a magnitude bigger than the
> number of reported CVE's.

Yeah, I see quite a few commits from the OSS fuzzer.

> > For example, https://cve.mitre.org/cgi-bin/
> cvename.cgi?name=CVE-2017-9608
> > has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is
> > not affected.  Just trying to make sure.
> Could you elaborate what you want to know exactly?
> The issue in question was introduced after 2.8 was released but
> I wonder why you chose this example: This is a DOS, but valid
> files can easily be found that cause DOS for libavformat /
> libavcodec in a given environment, so you have to secure the
> libraries independently of our code to avoid DOS.

That example was that just a real world example that, based on how it's
worded, does not affect 2.8.x, so it wasn't backported to that branch.

As for DOS attacks - is that only relevant for streaming?

My usage is local (e.g making an animation from screenshots, or format
conversion).  Any recommendations here?  Is 2.8 alright?  Anything on
hardening practices for FFmpeg?



> Carl Eugen
> _______________________________________________
> ffmpeg-user mailing list
> ffmpeg-user at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-user
> To unsubscribe, visit link above, or email
> ffmpeg-user-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-user mailing list