On 2/9/17, Michael Niedermayer <mich...@niedermayer.cc> wrote: > On Thu, Feb 09, 2017 at 08:25:43AM +0100, wm4 wrote: >> On Wed, 8 Feb 2017 22:07:24 +0100 >> Michael Niedermayer <mich...@niedermayer.cc> wrote: >> >> > Hi all >> > >> > On Sat, Aug 08, 2015 at 03:51:11AM +0200, Michael Niedermayer wrote: >> > > On Fri, Aug 07, 2015 at 07:46:55PM -0400, compn wrote: >> > > > hello, >> > > > >> > > > some of you know that we have a list for security / CVE issues. >> > > > some of you did not know this. >> > > > >> > > > i think it is a private list due to not wanting people to make >> > > > exploits >> > > > before we have a chance to fix them. of course, if no one is >> > > > subscribed >> > > > to review/fix issues then they will never get fixed. >> > > > >> > > > so if you are a regular developer who wants access to this list, >> > > > please >> > > > speak up. >> > > > >> > > > i do not run nor admin the security email/list (nor do i know who >> > > > does) >> > > > so please dont ask me questions about it. >> > > >> > > I guess, i "de facto" admin the security "email/list". >> > > if someone wants to help with security issues, mail me >> > > >> > > but there are no open security issues and if there was one i very >> > > likely would fix it ASAP >> > >> > A small update due to never? before seen interrest in ffmpeg-security >> > in the recent weeks/months >> > >> > How to get on the ffmpeg-security "list" >> > >> > People working on security in FFmpeg, thats maybe fixing many coverity >> > issues, backporingt fixes to releases, maintaining FFmpeg releases, ... >> > have an obsession with fixing bugs about undefined behavior or bugs >> > about crashes and race conditions on trac. Or an obsession with testing >> > every bugfix and who want and need access to ffmpeg-security should >> > be on ffmpeg-security >> > In short people on ffmpeg-security should need to be on ffmpeg-security >> > If you fall in this kind of category, please mail me >> > >> > Or someone who reviews commits and obtains CVE#s for everything that >> > could be exploitable ... >> > >> > I dont think we should give access to ffmpeg-security to everyone who >> > wants to be on the list. This is of course something the community >> > has to decide and not me, iam just err-ing on the safe side and am very >> > restrictive on who is added. >> > >> > About the content i must warn you the list is really not very >> > interresting as in trying to find together with debian someone at >> > chromium who knows what the CVEs they registered about FFmpeg actually >> > are about ... and then it embarassingly is a patch on ffmpeg-devel >> > that is stuck in review and not applied and now i can redo the releases >> > ... >> > ... Where are the people caring about security ? why did they not >> > pick these 2 public patches up, change what they felt needs changing >> > and pushed them ? >> > and there are the fuzz samples that need more than 20sec, these are >> > the main type of reported issue recently after ive succeeded to stop >> > the oom kind. >> > >> > Also there are no open security(*) issues i know of, and if there would >> > be i likely would fix them ASAP. Not saying that help is unwelcome >> > or that its impossible for me to make a mistake or miss something ... >> > >> > (*) I assume here that fuzz samples taking more than 20sec or integer >> > overflows in DSP code arent security issues. Iam working on fixing >> > these too but for this category there are open issues. >> > >> > PS: If you want access to the oss-fuzz reports, they all seem >> > automatically public 7 days after being fixed >> > >> > [...] >> > >> >> I'd like to get on the ffmpeg-security mailing list to review patches. > > Thats appreciated, though theres a problem, there rarely are patches > on that "list". Besides there is no mailing list this is just a mail > alias > > if i search for "~cffmpeg-security ~b\\+\\+\\+" i see only 54 matches > in the whole history of the list in my inbox most of which are > duplicates in quotes of replies > so maybe there were less than 20 patches ever posted to that list. > also patches tend to be CC-ed to developers knowing the code or commit > related to a issue, like ronald and james for the http fix in december > or paul and martin for the exr patch in august > > If the community wants me to add every FFmpeg maintainer who wants > to be on the alias, i can do that. But in the absence of a clear > community decission (poll/vote) on the inclusion criteria iam reluctant > to add anyone without a strong reason. There occasionally is > information or files posted that could be used in the construction of > an exploit prior to everyone updating, so the fewer addresses it is > sent to the better.
So others are sending CVE reports directly to you? _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
