Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 25 Jul 2013 11:08:45 +0200
From: Rémi Denis-Courmont <remi@...lab.net>
To: <kseifried@...hat.com>
Cc: Jean-Baptiste Kempf <jb@...eolan.org>, <oss-security@...ts.openwall.com>, 
 Michael Niedermayer <michaelni@....at>, 
 Moritz Muehlenhoff <jmm@...til.org>, Moritz Muehlenhoff <jmm@...ian.org>, 
 <ffmpeg-security@...peg.org>, <security@...eolan.org>
Subject: Re: new FFMpeg stuff

On Thu, 25 Jul 2013 03:01:33 -0600, Kurt Seifried <kseifried@...hat.com>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/25/2013 02:52 AM, Jean-Baptiste Kempf wrote:
>> On 25 Jul, Kurt Seifried wrote :
>>> Can the VLC security team confirm/correct this as needed so we
>>> can ensure it's correct before I assign CVEs? thanks.
>> 
>> Why the VLC security team should be involved in that?
> 
> Because they want to help make sure the CVEs get correctly assigned?
> 
> If you guys don't care about getting CVE's done properly well that's
> your choice I guess and I'll assign the CVEs as best I can. But I was
> hoping VLC upstream might help out.

It's not that we don't care about CVE IDs. But "upstream VLC" is upstream
VLC, i.e. the VLC code base. We just do not have the resources and
expertise to evaluate FFmpeg/libav security issues individually.

Besides, VLC can be linked dynamically with many different FFmpeg or libav
versions. So keeping track of their security issues within the context of
VLC is more or less impossible. That is up to the VLC binary packagers, not
to upstream developers.

-- 
Rémi Denis-Courmont
Sent from my collocated server

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.