Re: [FFmpeg-devel] [PATCH 1/5] avformat/tty: Remove .txt from the extensions as it more likely is not a multimedia related file
On Tue, Sep 11, 2018 at 11:31:23PM +0200, Carl Eugen Hoyos wrote: > 2018-05-12 18:33 GMT+02:00, Michael Niedermayer : > > Iam not sure if this is a good idea or not but it may make some > > attacks harder. So throwing this out for discussions ... > > I am definitely not objecting but I doubt that this patch can make > any attack harder. files ending with the .txt extension which are not multimedia files contain some other posibly sensitive data. If an attacker can control the input path for ffmpeg and nothing else then being able to read txt files allows leaking the content to the attacker generally. We had bugs that allowed the attacker to control the input path in some cases. So this pre-requesite has evidence for past occurance. We surely can leave txt in the list if people prefer. This is not a clear case of what is better. Its not a true "its buggy and this fixes it" case rather a "this is a steping stone an attacker might find useful in some case of unknown propability" > The main "advantage" of the patch imo is that it stops FFmpeg > from decoding txt files. > > Carl Eugen > ___ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB No snowflake in an avalanche ever feels responsible. -- Voltaire signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
Re: [FFmpeg-devel] [PATCH 1/5] avformat/tty: Remove .txt from the extensions as it more likely is not a multimedia related file
2018-09-11 23:42 GMT+02:00, Paul B Mahol : > On 9/11/18, Carl Eugen Hoyos wrote: >> 2018-05-12 18:33 GMT+02:00, Michael Niedermayer : >>> Iam not sure if this is a good idea or not but it may make some >>> attacks harder. So throwing this out for discussions ... >> >> I am definitely not objecting but I doubt that this patch can make >> any attack harder. >> The main "advantage" of the patch imo is that it stops FFmpeg >> from decoding txt files. > > FFmpeg can still decode txt files, just not automatically. Sorry, I meant "by default". Carl Eugen ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
Re: [FFmpeg-devel] [PATCH 1/5] avformat/tty: Remove .txt from the extensions as it more likely is not a multimedia related file
On 9/11/18, Carl Eugen Hoyos wrote: > 2018-05-12 18:33 GMT+02:00, Michael Niedermayer : >> Iam not sure if this is a good idea or not but it may make some >> attacks harder. So throwing this out for discussions ... > > I am definitely not objecting but I doubt that this patch can make > any attack harder. > The main "advantage" of the patch imo is that it stops FFmpeg > from decoding txt files. FFmpeg can still decode txt files, just not automatically. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
Re: [FFmpeg-devel] [PATCH 1/5] avformat/tty: Remove .txt from the extensions as it more likely is not a multimedia related file
2018-05-12 18:33 GMT+02:00, Michael Niedermayer : > Iam not sure if this is a good idea or not but it may make some > attacks harder. So throwing this out for discussions ... I am definitely not objecting but I doubt that this patch can make any attack harder. The main "advantage" of the patch imo is that it stops FFmpeg from decoding txt files. Carl Eugen ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
Re: [FFmpeg-devel] [PATCH 1/5] avformat/tty: Remove .txt from the extensions as it more likely is not a multimedia related file
On Sat, May 12, 2018 at 06:33:25PM +0200, Michael Niedermayer wrote: > Iam not sure if this is a good idea or not but it may make some > attacks harder. So throwing this out for discussions ... no comment or other suggestion from anyone, so i will apply this [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Awnsering whenever a program halts or runs forever is On a turing machine, in general impossible (turings halting problem). On any real computer, always possible as a real computer has a finite number of states N, and will either halt in less than N cycles or never halt. signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel