2.8.14 security updates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

2.8.14 security updates

Bryan Duff
Is 2.8.14 up-to-date as far as known security issues (e.g CVE's) are
concerned?

Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that
mean that they only affect 3.x?  If not and they affect 2.8.14, then there
are a decent number that affect 2.8.14 (15 of them?)

For example, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9608
has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is
not affected.  Just trying to make sure.

Thanks.

-Bryan
_______________________________________________
ffmpeg-user mailing list
[hidden email]
http://ffmpeg.org/mailman/listinfo/ffmpeg-user

To unsubscribe, visit link above, or email
[hidden email] with subject "unsubscribe".
Reply | Threaded
Open this post in threaded view
|

Re: 2.8.14 security updates

Reindl Harald


Am 15.05.2018 um 22:02 schrieb Bryan Duff:

> Is 2.8.14 up-to-date as far as known security issues (e.g CVE's) are
> concerned?
>
> Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that
> mean that they only affect 3.x?  If not and they affect 2.8.14, then there
> are a decent number that affect 2.8.14 (15 of them?)
>
> For example, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9608
> has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is
> not affected.  Just trying to make sure

while this list don't give a damn about anything then current master -
2.8.14 - seriously?

nobody can asnser that for sure because recent is 4.0 and it's imposible
by common sense to backport everything besides hope

3.0 was 2016-02-15
this is more than two years!

2.8 was 2015-09-09

in doubt the answer is simply "no"

_______________________________________________
ffmpeg-user mailing list
[hidden email]
http://ffmpeg.org/mailman/listinfo/ffmpeg-user

To unsubscribe, visit link above, or email
[hidden email] with subject "unsubscribe".
Reply | Threaded
Open this post in threaded view
|

Re: 2.8.14 security updates

Paul B Mahol
In reply to this post by Bryan Duff
On 5/15/18, Bryan Duff <[hidden email]> wrote:

> Is 2.8.14 up-to-date as far as known security issues (e.g CVE's) are
> concerned?
>
> Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that
> mean that they only affect 3.x?  If not and they affect 2.8.14, then there
> are a decent number that affect 2.8.14 (15 of them?)
>
> For example, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9608
> has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is
> not affected.  Just trying to make sure.
>

2.8.14 is not affected by this CVE simply because new features never get into
obsolete releases.
_______________________________________________
ffmpeg-user mailing list
[hidden email]
http://ffmpeg.org/mailman/listinfo/ffmpeg-user

To unsubscribe, visit link above, or email
[hidden email] with subject "unsubscribe".
Reply | Threaded
Open this post in threaded view
|

Re: 2.8.14 security updates

Carl Eugen Hoyos-2
In reply to this post by Bryan Duff
2018-05-15 22:02 GMT+02:00, Bryan Duff <[hidden email]>:
> Is 2.8.14 up-to-date as far as known security issues (e.g
> CVE's) are concerned?

2.8 is still supported and gets security updates:
http://ffmpeg.org/download.html
Note that nearly no fixed FFmpeg security issue gets a CVE,
so CVE's have limited relevance for FFmpeg.

> Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that
> mean that they only affect 3.x?  If not and they affect 2.8.14, then there
> are a decent number that affect 2.8.14 (15 of them?)

As said above, the number of CVE's has no relevance here,
the number of fixed issues with possible security implications
per release is approximately a magnitude bigger than the
number of reported CVE's.

> For example, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9608
> has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is
> not affected.  Just trying to make sure.

Could you elaborate what you want to know exactly?
The issue in question was introduced after 2.8 was released but
I wonder why you chose this example: This is a DOS, but valid
files can easily be found that cause DOS for libavformat /
libavcodec in a given environment, so you have to secure the
libraries independently of our code to avoid DOS.

Carl Eugen
_______________________________________________
ffmpeg-user mailing list
[hidden email]
http://ffmpeg.org/mailman/listinfo/ffmpeg-user

To unsubscribe, visit link above, or email
[hidden email] with subject "unsubscribe".
Reply | Threaded
Open this post in threaded view
|

Re: 2.8.14 security updates

Bryan Duff
On Tue, May 15, 2018 at 4:46 PM, Carl Eugen Hoyos <[hidden email]>
wrote:

> 2018-05-15 22:02 GMT+02:00, Bryan Duff <[hidden email]>:
> > Is 2.8.14 up-to-date as far as known security issues (e.g
> > CVE's) are concerned?
>
> 2.8 is still supported and gets security updates:
> http://ffmpeg.org/download.html
> Note that nearly no fixed FFmpeg security issue gets a CVE,
> so CVE's have limited relevance for FFmpeg.
>

OK, and the reason I'm using 2.8 is because that's as high as the el7
rpmfusion repo goes to.


> > Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that
> > mean that they only affect 3.x?  If not and they affect 2.8.14, then
> there
> > are a decent number that affect 2.8.14 (15 of them?)
>
> As said above, the number of CVE's has no relevance here,
> the number of fixed issues with possible security implications
> per release is approximately a magnitude bigger than the
> number of reported CVE's.
>

Yeah, I see quite a few commits from the OSS fuzzer.


> > For example, https://cve.mitre.org/cgi-bin/
> cvename.cgi?name=CVE-2017-9608
> > has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is
> > not affected.  Just trying to make sure.
>
> Could you elaborate what you want to know exactly?
> The issue in question was introduced after 2.8 was released but
> I wonder why you chose this example: This is a DOS, but valid
> files can easily be found that cause DOS for libavformat /
> libavcodec in a given environment, so you have to secure the
> libraries independently of our code to avoid DOS.
>

That example was that just a real world example that, based on how it's
worded, does not affect 2.8.x, so it wasn't backported to that branch.

As for DOS attacks - is that only relevant for streaming?

My usage is local (e.g making an animation from screenshots, or format
conversion).  Any recommendations here?  Is 2.8 alright?  Anything on
hardening practices for FFmpeg?

Thanks.

-Bryan

>
> Carl Eugen
> _______________________________________________
> ffmpeg-user mailing list
> [hidden email]
> http://ffmpeg.org/mailman/listinfo/ffmpeg-user
>
> To unsubscribe, visit link above, or email
> [hidden email] with subject "unsubscribe".
>
_______________________________________________
ffmpeg-user mailing list
[hidden email]
http://ffmpeg.org/mailman/listinfo/ffmpeg-user

To unsubscribe, visit link above, or email
[hidden email] with subject "unsubscribe".
Reply | Threaded
Open this post in threaded view
|

Re: 2.8.14 security updates

Carl Eugen Hoyos-2
2018-05-16 0:25 GMT+02:00, Bryan Duff <[hidden email]>:
> On Tue, May 15, 2018 at 4:46 PM, Carl Eugen Hoyos wrote:

[...]

>> Could you elaborate what you want to know exactly?
>> The issue in question was introduced after 2.8 was released but
>> I wonder why you chose this example: This is a DOS, but valid
>> files can easily be found that cause DOS for libavformat /
>> libavcodec in a given environment, so you have to secure the
>> libraries independently of our code to avoid DOS.
>
> That example was that just a real world example that, based on how it's
> worded, does not affect 2.8.x, so it wasn't backported to that branch.

Not 100% sure if it counts as "real world example" especially as it
is "only" a DOS issue which is nothing out-of-the-ordinary for
FFmpeg.

> As for DOS attacks - is that only relevant for streaming?

I am not sure I understand the question but no, DOS is
always (security-) relevant although as said, it is possible
to use FFmpeg's libraries for DOS on a given system with
valid input files.

> My usage is local (e.g making an animation from
> screenshots, or format conversion).

> Any recommendations here?  Is 2.8 alright?

Same recommendation as always on this mailing list:
Except for security issues, only current FFmpeg git
head is supported.

> Anything on hardening practices for FFmpeg?

There is --toolchain=hardened (try not to copy various
other "recommendations", they are mostly meant to
produce slow binaries and at the same time try to
trigger gcc regressions, see the Gentoo FFmpeg bug
reports).

Carl Eugen
_______________________________________________
ffmpeg-user mailing list
[hidden email]
http://ffmpeg.org/mailman/listinfo/ffmpeg-user

To unsubscribe, visit link above, or email
[hidden email] with subject "unsubscribe".
Reply | Threaded
Open this post in threaded view
|

Re: 2.8.14 security updates

Moritz Barsnick
In reply to this post by Bryan Duff
On Tue, May 15, 2018 at 17:25:56 -0500, Bryan Duff wrote:
> OK, and the reason I'm using 2.8 is because that's as high as the el7
> rpmfusion repo goes to.

Okay, if it was the libraries you needed, because you had an old
program which has never been adapted to ffmpeg's new APIs/ABIs, that
would have been a valid reason. But for the command line tools, I see
no reason not to grab hold of a considerably newer version.

If you want to stick to repos: In the case of EL7, I know that you can
find much newer versions of the multimedia programs including ffmpeg
(4.0) in the Negativo17 multimedia repo:

https://negativo17.org/multimedia/

$ yum-config-manager --add-repo=https://negativo17.org/repos/epel-multimedia.repo

Note that it may or may not clash with rpmfusion, depending on what you
really need. They work fine for me in parallel on Fedora 27. (There was
a conflict for a while, as smplayer from rpmfusion needed different
libs than negativo17 provided.) YMMV.

Moritz
_______________________________________________
ffmpeg-user mailing list
[hidden email]
http://ffmpeg.org/mailman/listinfo/ffmpeg-user

To unsubscribe, visit link above, or email
[hidden email] with subject "unsubscribe".
Reply | Threaded
Open this post in threaded view
|

Re: 2.8.14 security updates

Carl Eugen Hoyos-2
2018-05-16 9:39 GMT+02:00, Moritz Barsnick <[hidden email]>:

> On Tue, May 15, 2018 at 17:25:56 -0500, Bryan Duff wrote:
>> OK, and the reason I'm using 2.8 is because that's as high as the el7
>> rpmfusion repo goes to.
>
> Okay, if it was the libraries you needed, because you had an old
> program which has never been adapted to ffmpeg's new APIs/ABIs, that
> would have been a valid reason. But for the command line tools, I see
> no reason not to grab hold of a considerably newer version.
>
> If you want to stick to repos: In the case of EL7, I know that you can
> find much newer versions of the multimedia programs including ffmpeg
> (4.0) in the Negativo17 multimedia repo:

It should be much simpler to either compile a default (static) binary
or download one from the kind people offering them, see the download
section on our homepage.

Carl Eugen
_______________________________________________
ffmpeg-user mailing list
[hidden email]
http://ffmpeg.org/mailman/listinfo/ffmpeg-user

To unsubscribe, visit link above, or email
[hidden email] with subject "unsubscribe".