[FFmpeg-devel] [rfc] ffmpeg security issue mailing list

Thu Feb 9 16:27:03 EET 2017

On Thu, Feb 09, 2017 at 08:25:43AM +0100, wm4 wrote:
> On Wed, 8 Feb 2017 22:07:24 +0100
> Michael Niedermayer <michael at niedermayer.cc> wrote:
> 
> > Hi all
> > 
> > On Sat, Aug 08, 2015 at 03:51:11AM +0200, Michael Niedermayer wrote:
> > > On Fri, Aug 07, 2015 at 07:46:55PM -0400, compn wrote:  
> > > > hello,
> > > > 
> > > > some of you know that we have a list for security / CVE issues.
> > > > some of you did not know this.
> > > > 
> > > > i think it is a private list due to not wanting people to make exploits
> > > > before we have a chance to fix them. of course, if no one is subscribed
> > > > to review/fix issues then they will never get fixed.
> > > > 
> > > > so if you are a regular developer who wants access to this list, please
> > > > speak up.
> > > > 
> > > > i do not run nor admin the security email/list (nor do i know who does)
> > > > so please dont ask me questions about it.  
> > > 
> > > I guess, i "de facto" admin the security "email/list".
> > > if someone wants to help with security issues, mail me
> > > 
> > > but there are no open security issues and if there was one i very
> > > likely would fix it ASAP  
> > 
> > A small update due to never? before seen interrest in ffmpeg-security
> > in the recent weeks/months
> > 
> > How to get on the ffmpeg-security "list"
> > 
> > People working on security in FFmpeg, thats maybe fixing many coverity
> > issues, backporingt fixes to releases, maintaining FFmpeg releases, ...
> > have an obsession with fixing bugs about undefined behavior or bugs
> > about crashes and race conditions on trac. Or an obsession with testing
> > every bugfix and who want and need access to ffmpeg-security should
> > be on ffmpeg-security
> > In short people on ffmpeg-security should need to be on ffmpeg-security
> > If you fall in this kind of category, please mail me
> > 
> > Or someone who reviews commits and obtains CVE#s for everything that
> > could be exploitable ...
> > 
> > I dont think we should give access to ffmpeg-security to everyone who
> > wants to be on the list. This is of course something the community
> > has to decide and not me, iam just err-ing on the safe side and am very
> > restrictive on who is added.
> > 
> > About the content i must warn you the list is really not very
> > interresting as in trying to find together with debian someone at
> > chromium who knows what the CVEs they registered about FFmpeg actually
> > are about ... and then it embarassingly is a patch on ffmpeg-devel
> > that is stuck in review and not applied and now i can redo the releases ...
> > ... Where are the people caring about security ? why did they not
> > pick these 2 public patches up, change what they felt needs changing
> > and pushed them ?
> > and there are the fuzz samples that need more than 20sec, these are
> > the main type of reported issue recently after ive succeeded to stop
> > the oom kind.
> > 
> > Also there are no open security(*) issues i know of, and if there would
> > be i likely would fix them ASAP. Not saying that help is unwelcome
> > or that its impossible for me to make a mistake or miss something ...
> > 
> > (*) I assume here that fuzz samples taking more than 20sec or integer
> > overflows in DSP code arent security issues. Iam working on fixing
> > these too but for this category there are open issues.
> > 
> > PS: If you want access to the oss-fuzz reports, they all seem
> > automatically public 7 days after being fixed
> > 
> > [...]
> > 
> 
> I'd like to get on the ffmpeg-security mailing list to review patches.

Thats appreciated, though theres a problem, there rarely are patches
on that "list". Besides there is no mailing list this is just a mail
alias

if i search for "~cffmpeg-security ~b\\+\\+\\+" i see only 54 matches
in the whole history of the list in my inbox most of which are
duplicates in quotes of replies
so maybe there were less than 20 patches ever posted to that list.
also patches tend to be CC-ed to developers knowing the code or commit
related to a issue, like ronald and james for the http fix in december
or paul and martin for the exr patch in august

If the community wants me to add every FFmpeg maintainer who wants
to be on the alias, i can do that. But in the absence of a clear
community decission (poll/vote) on the inclusion criteria iam reluctant
to add anyone without a strong reason. There occasionally is
information or files posted that could be used in the construction of
an exploit prior to everyone updating, so the fewer addresses it is
sent to the better.

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No great genius has ever existed without some touch of madness. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170209/9fb5073c/attachment.sig>