[FFmpeg-devel] sws support xyz input floors MS Antivirus Program

Nicolas George nicolas.george at normalesup.org
Mon May 6 11:45:31 CEST 2013


Le septidi 17 floréal, an CCXXI, Jan Ehrhardt a écrit :
> You may be right. But, on the other hand, people like Kyle Schwarz
> (Zeranoe) are in a dilemma right now: make new builds with a known
> security risk, disable 1 feature of FFmpeg or stop making new builds for
> the moment. What would you do?

There is no security risk in ffmpeg.

There is a security risk in MSE, it is present whether Zeranoe provides the
binary or not. Unless proven otherwise, we have to suppose that this
security risk is exploitable; therefore, having MSE disabled is better than
keeping running with the hole.

If anything, providing ffmpeg binaries that trigger it is best, because it
will trigger it harmlessly (the service crashes, it does not get exploited)
and convince people to disable it until microsoft publishes a fix.

Regards,

-- 
  Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20130506/6fcd63d2/attachment.asc>


More information about the ffmpeg-devel mailing list