[FFmpeg-devel] sws support xyz input floors MS Antivirus Program

Nicolas George nicolas.george at normalesup.org
Mon May 6 14:43:56 CEST 2013

Le septidi 17 floréal, an CCXXI, Jan Ehrhardt a écrit :
> Of course, it is his call. But it would not be my choice. I regularly
> build PHP myself and make those builds available through sites like
> Apachelounge. If I knew that a PHP-component could trigger this
> vulnerability, I would disable that component and clearly state why I
> did such. Even though ffmpeg in it self does not have a security risk,
> there is always a chance that making MSE crash gives other attackers
> golden opportunities.

I believe this reasoning is wrong for two reasoning reasons:

First, if attackers need MSE to crash, they can make it crash themselves.

Second, if you have something running with a security issue, you should stop
it. This is true whether this thing is called "useless blob made by a bunch
of incompetents" or "security essentials".

I already made the second point, you missed it: by crashing MSE harmlessly,
ffmpeg is making the users' boxes more secure, not less.

> To some users it might not even be clear what causes the MSE-crash.

Add a flashy warning near the download link.


  Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20130506/2ea530e8/attachment.asc>

More information about the ffmpeg-devel mailing list