Comment by nemothekid

7 days ago

>The reach of this bug is what makes it serious. Any deployment that points FFmpeg at an attacker-influenced RTSP URL is exposed: media ingest pipelines fetching user-supplied stream URLs, surveillance and CCTV systems pulling RTSP feeds, and transcoding services processing remote AV1-over-RTP sources

Wow this is actually pretty serious - I'm even surprised its being published. There are several services where I can imagine this is exploitable today.

11 comments

nemothekid

akerl_ 7 days ago

Some people might suggest it’s crucial to publish if you’re aware of a serious vulnerability, so that people using the software in a vulnerable way can take steps to mitigate the risk.

skupig 7 days ago

You would also need some sort of ASLR leak to make this exploitable

woodruffw 7 days ago
Speaking from firsthand experience: codec and other media processing libraries are some of the easiest software to find address leaks in.
(There are a number of reasons for this, not least being that C makes it very easy to ship partially initialized memory over the wire.)
- lostglass 7 days ago
  
  Speed and security are not good bedfellows. Combine that with really shitty standards and dozens of years of development...
  Oh, and licensing. Licensing is the real killer. I could just write my own mp3 decoder easily (the format not the file type) but I'm not gonna risk my company getting sued into the ground by doing that.
  
  4 replies →

hulitu 5 days ago

> Wow this is actually pretty serious

Don't tranform your ffmpeg instance into a web browser.

TiredOfLife 6 days ago

ffmpeg has stated many many times that they don't care about bug or security reports

huflungdung 7 days ago

[dead]