[FFmpeg-devel] backport fixes for CVE-2019-9718 and CVE-2019-9721
Dominik 'Rathann' Mierzejewski
dominik at greysector.net
Wed Mar 20 23:33:18 EET 2019
On Wednesday, 20 March 2019 at 19:18, Michael Niedermayer wrote:
> On Wed, Mar 20, 2019 at 12:08:52PM +0100, Dominik 'Rathann' Mierzejewski wrote:
> > On Wednesday, 20 March 2019 at 00:48, Carl Eugen Hoyos wrote:
> > > 2019-03-19 23:28 GMT+01:00, Dominik 'Rathann' Mierzejewski
> > > <dominik at greysector.net>:
> > >
> > > > Were the CVE IDs not known at the time these were pushed to master?
> > >
> > > No, how would this be possible?
> >
> > Easy: you can request the ID at https://cveform.mitre.org/ before
> > pushing the commits.
>
> do you want to do that ?
> In general patches are posted to the mailing list so you could if
> you want.
> There are probably about 1-2 "Timeout" fixes similar to these a day
> currently. Most of these are security issues in the sense of making denial
> of service easier, they do not change black to white.
>
> Its not so much that i dont have the time to request 1-2 CVE# a day, its
> more that iam not sure this is really helpfull to our users.
Understood. Reading https://cve.mitre.org/cve/request_id.html it looks
like a project (like FFmpeg) could request a range of CVE IDs in advance
and assign them on their own, without asking Mitre for each and every
one of them. But, I'm not volunteering for that (I would if I had time).
Thanks for the responses.
Regards,
Dominik
--
Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org
There should be a science of discontent. People need hard times and
oppression to develop psychic muscles.
-- from "Collected Sayings of Muad'Dib" by the Princess Irulan
More information about the ffmpeg-devel
mailing list