If there’s a vulnerability in the codec, then someone can slip a malicious file onto some web site and use it as an exploit. It’s not only about some 30 year old game. It might be appropriate for ffmpeg to get rid of such obscure codecs, or sandbox them somehow so RCE’s can’t escape from them, even at an efficiency cost. Yes though, Google funding or even a Summer of Code sponsorship would be great.
The issue is not whether security issues exist in ffmpeg. It’s clear that vulnerabilities need to be fixed.
The issue is with who actually fixes them. Your last sentence is the core of it. Google can submit as many bug reports as they want, but they better be willing to ensure the bugs get fixed too.
Google having found the bugs can either submit bug reports or quietly sit on them, or even exploit them as spyware, among other ideas. Whether they fund ffmpeg is a completely separate question. I can see how the 90 day disclosure window can be a problem if the number of reports is high.
Bug reports that apply only to Google’s services or which surface only because of them are bugs Google needs to fix. They can and do submit bug reports all they want. Nobody is obligated to fix them.
The other part of this is, of course, disclosure. Google’s disclosure of these bugs discredits ffmpeg developers and puts the blame on them if they fail to fix the vulnerabilities. They can acknowledge the project as being a volunteer, hobby project created by others if they want, and they can treat it like that. But if they’re doing that, they should not be putting responsibilities on them.
If Google wants to use ffmpeg, they can. But a bug in ffmpeg that affects Google’s services is a bug in Google’s service. It is not the responsibility of unpaid volunteers to maintain their services for them.
I don’t understand how a bug is supposed to know whether it’s triggered inside or outside of a google service. If the bug can only be triggered in some weird, google-specific deployment, that’s one thing, but I don’t think that’s what we’re talking about here. If the bug is manifestly present in ffmpeg and it’s discovered at google, what are you saying is supposed to happen? Google should a) report it under the normal 90 day disclosure rule; b) report it but let it stay undisclosed for longer than normal, due to the resource contraints ffmpeg’s devs areunder; c) not report it and let some attacker exploit it? (b) might have some merit but (c) is insane. Once some bad actor finds out about the bug (through independent discovery or any other way), it’s going to be exploited. That might already be happening before even google finds the bug.
FFmpeg’s codebase and dev community are both exceptionally difficult and that is not helping matters, I’m sure.
There are a bunch of Rust zealots busily rewriting GNU Coreutils which in practice have been quite reliable and not that badly in need of rewriting. Maybe the zealots should turn their attention to ffmpeg (a bug minefield of long renown) instead.
Alternatively (or in addition), some effort should go into sandboxing ffmpeg so its bugs can be contained.
If there’s a vulnerability in the codec, then someone can slip a malicious file onto some web site and use it as an exploit. It’s not only about some 30 year old game. It might be appropriate for ffmpeg to get rid of such obscure codecs, or sandbox them somehow so RCE’s can’t escape from them, even at an efficiency cost. Yes though, Google funding or even a Summer of Code sponsorship would be great.
The issue is not whether security issues exist in ffmpeg. It’s clear that vulnerabilities need to be fixed.
The issue is with who actually fixes them. Your last sentence is the core of it. Google can submit as many bug reports as they want, but they better be willing to ensure the bugs get fixed too.
If it’s a mission critical library, then the corporations should be willing to shell out money to ensure critical bugs are fixed.
Google can’t have their cake and eat it too.
Google having found the bugs can either submit bug reports or quietly sit on them, or even exploit them as spyware, among other ideas. Whether they fund ffmpeg is a completely separate question. I can see how the 90 day disclosure window can be a problem if the number of reports is high.
Bug reports that apply only to Google’s services or which surface only because of them are bugs Google needs to fix. They can and do submit bug reports all they want. Nobody is obligated to fix them.
The other part of this is, of course, disclosure. Google’s disclosure of these bugs discredits ffmpeg developers and puts the blame on them if they fail to fix the vulnerabilities. They can acknowledge the project as being a volunteer, hobby project created by others if they want, and they can treat it like that. But if they’re doing that, they should not be putting responsibilities on them.
If Google wants to use ffmpeg, they can. But a bug in ffmpeg that affects Google’s services is a bug in Google’s service. It is not the responsibility of unpaid volunteers to maintain their services for them.
I don’t understand how a bug is supposed to know whether it’s triggered inside or outside of a google service. If the bug can only be triggered in some weird, google-specific deployment, that’s one thing, but I don’t think that’s what we’re talking about here. If the bug is manifestly present in ffmpeg and it’s discovered at google, what are you saying is supposed to happen? Google should a) report it under the normal 90 day disclosure rule; b) report it but let it stay undisclosed for longer than normal, due to the resource contraints ffmpeg’s devs areunder; c) not report it and let some attacker exploit it? (b) might have some merit but (c) is insane. Once some bad actor finds out about the bug (through independent discovery or any other way), it’s going to be exploited. That might already be happening before even google finds the bug.
FFmpeg’s codebase and dev community are both exceptionally difficult and that is not helping matters, I’m sure.
There are a bunch of Rust zealots busily rewriting GNU Coreutils which in practice have been quite reliable and not that badly in need of rewriting. Maybe the zealots should turn their attention to ffmpeg (a bug minefield of long renown) instead.
Alternatively (or in addition), some effort should go into sandboxing ffmpeg so its bugs can be contained.