FFmpeg dealing with a security researcher

Posted by trollied 2 days ago

FFmpeg dealing with a security researcher(twitter.com)

104 points | 156 comments

vqtska 2 days ago|

I wonder if this vulnerable codec is enabled by default when building FFmpeg? Because if so, then it doesn't matter that it's a "1990s game codec" because any application using FFmpeg to accept arbitrary video files is vulnerable to memory corruption, which should probably be taken more seriously.

chemotaxis 2 days ago||

The somewhat depressing reality is that if you're running ffmpeg on user-supplied multimedia without putting it in a bulletproof sandbox, you're just bound to have a bad time.

Video decoding is one of these things that no one seems to know how to do safely in C or C++, not in the long haul. And that's probably fine, because we have lightweight sandboxing tech that makes this largely moot - but there's an extra step you need to take. Maybe it's on the ffmpeg project that they don't steer people in that direction.

Trying to fix these bugs piecemeal is somewhat pointless - or at least, we've been trying for several decades, throwing a ton of manpower and compute at it, and we're still nowhere near a point where you could say "this is safe".

ozgrakkurt 1 day ago||

Does this mean we have to run vlc in a sandbox while watching a downloaded film?

awakeasleep 1 day ago||

In production? With a user-supplied film?

You seem to be captured by the “all or nothing” security fallacy, when security must be viewed through the lens of (probability) x (impact)

ls612 2 days ago|||

It isn't even like this is without precedent, the FORCEDENTRY NSO kit used the shitty old JBIG2 parser that Apple was shipping as its entry point despite the fact that approximately nobody was legitimately using JBIG2 in iMessage.

hulitu 1 day ago|||

> despite the fact that approximately nobody was legitimately using JBIG2 in iMessage.

Then why it has been enabled ? Asking for a friend. /s

Unless Apple, ffmpeg has a reason to enable old codecs. If you only need a subset: configure; make; make install

astrange 20 hours ago||

> Then why it has been enabled ? Asking for a friend. /s

Because it's in the PDF spec, and you can't randomly disable parts of that.

IshKebab 2 days ago|||

I checked with Ubuntu's ffmpeg and it is enabled by default. There are a huge list of codecs enabled by default (maybe all of them?). Given the security track record of codecs implemented in C, this means it's basically guaranteed that there are dozens of security vulnerabilities in ffmpeg.

I think the same is probably true for VLC to a lesser extent, which is pretty wild considering I've never heard of it being used as an attack vector, e.g. via torrents.

ls612 1 day ago|||

I think that the x264 and hevc codecs are much more battle tested and a 0day for them would be worth enough that nobody would bother using it on random torrenters.

IshKebab 1 day ago||

But you don't need to use a popular codec, because all codecs are enabled by default.

ls612 1 day ago||

Yeah but most public trackers will give lots of side eye to torrents that contain an mkv that isn’t in one of those two formats.

IshKebab 1 day ago||

Really? You think trackers download files and analyse their contents before listing them? I don't.

ls612 1 day ago||

TPB? No. But 1337 and rutracker definitely do basic quality control. Nothing like a private tracker but they take down things like .mkv.lnk and similar.

hulitu 1 day ago||||

> Given the security track record of codecs implemented in C, this means it's basically guaranteed that there are dozens of security vulnerabilities in ffmpeg.

Or in, you know, external libraries. Maybe ffmeg shall be run with sanitized input (and not from a "web page" ) ? Just saying

haskellshill 2 days ago|||

VLC is pretty popular on windows, but ffmpeg? Is there any commonly used windows app that relies on it? I doubt it'd be worth one's time to write exploits for desktop linux

heavyset_go 1 day ago|||

ffmpeg is deployed everywhere, and old versions of ffmpeg are baked into a lot of devices.

If you have a device that does image, audio or video, libav and/or ffmpeg is likely somewhere in the stack. Your TV, camera, console or streaming device might use the software.

If you're using SaaS that does image, audio or video, they are likely using ffmpeg related software somewhere in their stack.

Same thing with apps, Android and iOS apps might use the libraries, as well as desktop apps.

godelski 1 day ago||||

  > VLC is pretty popular on windows, but ffmpeg?

I'm pretty confident VLC uses libavcodec

  > Is there any commonly used windows app that relies on it?

A lot of stuff uses libavcodec

dpe82 1 day ago||||

VLC and ffmpeg share the same underlying library family (libav*) where this vulnerability lives.

> I doubt it'd be worth one's time to write exploits for desktop Linux

How many developers, network administrators, etc. run desktop Linux? Gaining access to those can be very, very valuable.

brigade 1 day ago||

FFmpeg based players have been popular for 20 years now. Has there been a single documented actual use of their libraries as the exploitation vector anytime in the last two decades?

dns_snek 1 day ago|||

Does this count?

https://signal.org/blog/cellebrite-vulnerabilities/

> Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

But it was a product using a 9 year old ffmpeg build (at the time).

brigade 1 day ago|||

I'd still consider that an academic exercise rather than an exploit that was deployed in the real world (aka against a machine the attacker did not control)

renewiltord 1 day ago||

Yeah, that’s just how life is. We used to run with Heartbleed and Spectre turned off.

hulitu 1 day ago|||

> Does this count?

If Signal relies on ffmpeg to play videos instead of an externall app, i would say it is broken by design.

dpe82 1 day ago|||

I'm certain it's happened but since I don't have one off the top of my head I'll instead point out a related issue: https://en.wikipedia.org/wiki/Stagefright_(bug)

It's worth pointing out that many, many, many things use the libav* library family.

brigade 1 day ago||

Yes, I know that multimedia/image vulnerabilities are popular vectors for zero-click attacks. My point is that desktop players are not a vector for zero-click attacks, and ffmpeg has not generally been used in end-user situations that are targets of zero-click or drive-by attacks. Mostly because of the license, but still.

If the exploit chain involves the user downloading and opening a file, something like >99% of the time the next step already involves executable code (or Office macros), which makes any ffmpeg vuln completely useless.

phil21 1 day ago|||

In a past life as a managed hosting provider ffmpeg exploits were used to gain access to systems.

It’s used for pretty much any platform you can upload video to. Some places far more competently than others.

brigade 1 day ago||

See, I’d be interested in any actual evidence/writeups of that in the wild.

bawolff 23 hours ago||

In fairness, i dont think the majority of actual exploits used in the wild get writeups.

Budget web host using outdated software getting hacked because they havent updated in 2 years isn't exactly all that interesting of a blog post even if the victim knows enough to figure out what happened.

dpe82 1 day ago|||

Chrome uses ffmpeg's underlying libraries.

It's used way, way more than you think.

brigade 1 day ago||

Yes, I’m quite familiar with that. Chrome is why I added the “generally” qualifier.

And to the best of my knowledge, there has not been any in-the-wild exploit against Chrome through the handful of ffmpeg codecs they enable. Not even pwn2own type competitions either, as I recall.

dpe82 1 day ago||

I guess I'm confused - are you trying to imply the lack of a thorough, publicly reported successful exploit (or us just not casually giving you one that you care about) means that we're all released from the responsibility of taking potential exploits seriously?

michaelt 2 days ago||||

Depends if any important websites are re-compressing user-uploaded videos. If there's a website converting user-uploaded gifs to mp4 to save on bandwidth or something, I wouldn't be surprised if they used ffmpeg to do it.

Sophira 1 day ago|||

Yes, lots. To name an example, yt-dip uses it on all platforms, including Windows, which means that any video downloader front-end that uses it also uses FFmpeg.

Sophira 5 hours ago||

...I mean "yt-dlp", of course. Phone autocorrected >_<

plorkyeran 2 days ago||

No, all the ancient video game codecs and other such things that are there for historical preservation purposes but are rarely actually used are disabled by default and you have to really go out of your way to enable them. This was originally for binary size/build time reasons.

IshKebab 2 days ago||

Are you sure? I ran `ffmpeg -codecs` on Ubuntu and it lists

   D.V.L. sanm                 LucasArts SANM/SMUSH video

PaulKeeble 2 days ago||

"Just send patches" is I think the main point. Rather than just reporting security bugs these big organisations ought to start seeing the point of open source being that can and should be contributing if they value the project and need this fixed because its a pretty obscure problem generated by AI.

Telaneo 1 day ago||

I can't help but be reminded about the time that an MS employee put in a ticket on FFmpeg's bug tracker and said it was 'High priority'.[1][2]

On the one hand, this one Microsoft employee was probably in a bind and actually blocked by this bug. On some level, it's hard to blame them as an individual.

On the other hand, Microsoft has no leverage here and pays somewhere between a pittance and nothing for FFmpeg, while getting enormous use out of it. If they regularly donated with either money or patches, then there'd be no beef, but it's the expectation of getting something more for free while already getting so damn much for for zero cents that really grinds both mine and FFmpeg's gears.

That reminds me that I should probably throw some money at FFmpeg, if only to clear my conscience.

[1] https://xcancel.com/FFmpeg/status/1775178805704888726

[2] https://news.ycombinator.com/item?id=39912916

tjpnz 1 day ago|||

YouTube made $36.7 billion last year. Time they started pulling their weight.

kyrra 1 day ago||

They have around at least 3000 commits, assuming this search is right?

https://github.com/search?q=repo%3AFFmpeg%2FFFmpeg+%40google...

And they have done large pushes in the past: https://security.googleblog.com/2014/01/ffmpeg-and-thousand-...

_flux 2 days ago|||

Perhaps it'll be sooner than you expect: actually having proper fixes made by AI for the issues found with AI.

bawolff 1 day ago||

I think that is a little entitled. They should be happy google isn't just straight up emailing full-disclisure.

The person who makes the software has the duty to fix the security issues in their own code, nobody else, no matter how big they are.

waste_monk 1 day ago|||

>I think that is a little entitled. They should be happy google isn't just straight up emailing full-disclisure.

Google has literally billions of dollars in profits (in part because they use FFmpeg in a bunch of commercial products like Youtube and Chrome), and one of the largest software workforces in the world, including expertise on secure software and vulnerability remediation.

If anyone can afford to contribute back a fix instead of just raising a report, and has the ethical responsibility to do so, it's Google.

godelski 1 day ago|||

  > because they use FFmpeg in a bunch of commercial products like Youtube and Chrome

Not to mention they just have a vested interest in getting the problem solved. Even if we don't talk about money.

I'm not sure why this is an unpopular idea, but contribute back to your upstream dependencies. If they're a dependency, they're part of *your code*.

bawolff 1 day ago||

> Not to mention they just have a vested interest in getting the problem solved. Even if we don't talk about money.

Correct me if im wrong, but based on the report this looks like something that would affect regular users of ffmpeg but not google's use.

bawolff 1 day ago|||

Security vulnerability finding is a contribution. On the open market the type of service google is providing here would cost hundreds of thousands of dollars if not millions.

leoedin 1 day ago||||

> The person who makes the software has the duty to fix the security issues in their own code, nobody else, no matter how big they are.

That’s just clearly untrue for freely available software. So every person that ever published a hobby project on GitHub has a duty to fix security issues in it?

The organisation who ships software to paying customer may have a duty to fix security issues. If they didn’t, it could be seen as negligent, violate regulations or the contract they have with their customers. But there’s no contract with the free software developers. No duty of care from them to end users. Absolutely no duty.

bawolff 1 day ago|||

> That’s just clearly untrue for freely available software. So every person that ever published a hobby project on GitHub has a duty to fix security issues in it?

Yes, i think there is a moral duty if you are presenting the software for the general public to use. Or if you dont to at least make it clear how you handle stuff so that users can make their own decisions.

> But there’s no contract with the free software developers. No duty of care from them to end users. Absolutely no duty.

In your view would it be acceptable to backdoor open source software to sell user's data to the highest bidder? That's obviously not what happened here, but seems like the obvious conclusion of your argument.

63stack 12 hours ago||

Software licenses already make the conditions íj which they are offered to you very clear.

It is up to you, the end user of the software to evaluate whether those terms, risks, and options are good enough for you. If not, don't use it. You have it completely backwards, and frankly, sound quite entitled.

bawolff 55 minutes ago||

Morality and legality are not the same thing.

Although perhaps my previous comment went a little too far. I think its fine to not fix issues as long as you publish them so that users can make an informed decision. Where i think it would be morally wrong is if a project pretends it fixes security issues but doesn't or if it tries to cover them up - insisting external reporters dont talk about them while also having no intention of fixing them.

Basically i think open source projects (like everyone) have a moral duty to be honest and not try and decieve people, regardless of what the license says.

x0x0 1 day ago|||

Be careful, the Europeans tried (had the python foundation not pushed back hard, would have) and still would love to require anyone who's ever built a piece of software to perform maintenance for them on demand.

hitekker 1 day ago||||

Nah, it's entitlement to expect maintainers to overwork and fix every single "security" issue thrown their way. ffmpeg has just a few resources and Google has way, way more. The maintainers are not your servants nor are they Google's servants.

godelski 1 day ago||||

Doesn't Chrome use libavcodec?

I'm somewhat with you but we're also talking about a $3.4T company that's depending on an OSS project with what... under a $1m budget? It seems they're pretty resource constrained.

I'm pretty sure Google makes more through Chrome's usage of libav than ffmpeg's entire budget. So yeah, I think Google should put effort back in and I think it's in their best interest.

Trillion dollar companies standing on top of open source projects and giving little to nothing back is not okay. It's also just stupid since they're eating their own foundations

thatguysaguy 1 day ago||||

It's a volunteer run project... Saying that they have a duty to do anything other than what they want is quite strange.

eipi10_hn 1 day ago||||

Duh no, wtf. No one has the duty to fix the security issue unless they are paid for the open source codes they give. They don't threaten you to use their codes either.

If you want the security issue to be fixed, make a PR or offer the price you are willing to pay for them to fix.

bawolff 1 day ago||

By the same token nobody has the duty to responsibly disclose security bugs. The entire premise of responsible disclosure is that security researchers give time for upstream projects to fix security issues by privately reporting the issues, in exchange the maintainers graciously accept the reports. Its a deal that benefits maintainers much more than it benefits researchers. If ffmpeg doesn't want that deal, then google should go the full disclosure route.

> If you want the security issue to be fixed,

There is no indication that google actually cared much whether the issue got fixed or not. It seems like the course of events is that they noticed something looked wrong with the code so they filed a bug. That's it.

> willing to pay for them to fix.

Should ffmpeg pay for security researchers time to find these issues? The market price for that is much much much higher than the price to fix bugs.

If you were to pay someone to do vulnerability testing in ffmpeg with sufficient skill to find this issue, it would probably cost you in the hundreds of thousands of dollars at least.

eipi10_hn 21 hours ago||

Yes, that's right. Nobody has the duty to disclosure the security bugs. It's the security researchers' principles, and if they want to follow that, they can follow that.

But don't take it further that the maintainers have the duty to fix the issues. They choose that career, don't make it sound like ffmpeg is forcing them to disclosure. Maintainers don't "deal" with any security researchers about those, and don't put the confidence that it "benefits maintainers" than "benefit researchers", unless the maintainers declare that themselves. In this case there's no patch, no fix, no PR either, just issue-submission. "You have more benefits" are the claims of the researchers who think that their issue-submission contributions top everything else.

Finding and disclosing the security are issue-submission contributions, and that's it. Don't make it as a gift or something. ffmpeg doesn't have the need to find these issues, and they don't pay for it for it either. And vice versa, they have no duties to fix the issues. They don't force the security researchers to find and disclose things. If security researchers want to do it themselves, they can do whatever they want, but stop at forcing duties to the maintainers. The only thing I don't agree with ffmpeg is bringing those issues social while they can just ignore them, that's it.

bawolff 38 minutes ago||

I mean, i agree, ffmpeg are under no obligation to do anything. (In the heat of the moment i think my previous comment went too far, i would phrase it more, as if you want to be a "quality" software project then you have to respond to real security bugs promptly).

My biggest gripe though is that ffmpeg does seem to value these sorts of reports highly. If i'm reading the timestamps right, they fixed this report within 1 day: https://github.com/FFmpeg/FFmpeg/commit/c41a70b6bb79707e1e3a...

How often do you get your bug reports fixed that fast? When i file bugs in open source projects it usually takes at least weeks if im lucky to get a response. People almost never respond within 1 day. I think that demonstrates how valuable ffmpeg views these reports.

If the report was a garbage report (like e.g. the ones the curl maintainer complains about) i'd have more sympathy, but clearly ffmpeg views this issue submission as valuable. The whole thing makes me think of choosing-beggars. They want the google report but also are trying to use social pressure to make google contribute even more.

If they didn't want google's reports that's one thing - just reject them, but both wanting them while also demanding more is scummy in my opinion. Either accept or reject them.

toofy 1 day ago||||

i’m sorry, but when it comes to open source software if you want something on your timeline, you do it. the code is there. it’s _open_.

if “a duty” exists at all in this situation, it’s on the 4th wealthiest company in the world who is using that free software to serve its customers and raking in billions of dollars. (i want to be clear tho, that company does contribute a lot to the open source community. a whole lot. i’m just saying, if someone is hunting for a “duty” to fling around re: an open source project)

i was once naively saying some undeserved similar nonsense to a well known open source dev regarding some software package they were working on years ago, and he responded absolutely appropriately, [paraphrasing] “go ahead, you should absolutely do it, see if it’s better. none of us here are stopping you. we genuinely hope it is, truly. let us know. until then we’re working on other stuff.”

he was absolutely correct and i should have known better. not snotty at all, just, “you should totally do it!” that’s the appropriate answer every single time someone behaves as if your open source project owes them something. even more so when it’s the 4th richest company in the world.

so if you feel “a duty” exists somewhere to change something with ffmpeg, do it yourself. literally no one is stopping you. it’s _open source_.

polski-g 1 day ago|||

No person, ever, has a duty to fix security issues in free software with a no-warranty license. If you want your security fixes, pay for them.

bawolff 1 day ago||

I'm confused, on the bug report it is claimed ffmpeg fixed the issue, so presumably it was a valid issue. So what's the problem here? That it was a mere memory corruption bug and not an exploitable issue? Even still it seems reasonable that google reports bugs even if they aren't security issues and it seems reasonable to err on the side of memory cirruption being security relavent.

Edit: i guess its not even that, they are just bitter that they have to fix bugs in their own code??? Recieving vuln reports is a gift. If ffmpeg doesnt like it maybe google should just start practising full disclosure.

hitekker 1 day ago||

Here's a better summary: ffmpeg is getting DDOS'd by AI generated security CVEs. Those CVEs currently have zero real-world impact; the "researchers" didn't even bother to write a patch/fix for their reports.

My hot-take: it's security theater drama. Burn-out maintainers on one side and wealthy corporate employees on the other.

bawolff 1 day ago|||

This particular issue has a PoC to reproduce it. It seems very much that it would have real world impact

x0x0 1 day ago||||

Even if they have real-world impact: ffmpeg is a volunteer project. With (ffmpeg -codecs | wc -l) 519 codecs. This will trivially exhaust available ffmpeg eng resources.

haskellshill 1 day ago||

There's no law that you have to fix all bug reports. Isn't it better for users and developers alike that they can see the problems of the project. If they don't have resources that's fine, it's not like they are charging money for their product. But why not be honest and not request people sweep bugs under the rug for fear of looking bad?

awakeasleep 1 day ago|||

Because it burns out developers and ruins the project. Its like how the treatment can be worse than the disease in medicine.

The CVEs get reported, then big corps automated systems start flagging all use of ffmpeg, the big corp security software stops builds and removes it from dev laptops, then frustrated big corp engineers start harassing the volunteers and soon its not worth volunteering anymore, and the project dies, and there was never a real world impact.

ndiddy 1 day ago||

My point of view is that the unpaid ffmpeg maintainers should stop playing along with the corporate "security researchers" and not prioritize a bug over everything else simply because it's a CVE. In this case, the "high priority CVE" is from a reverse-engineered codec a hobbyist wrote to decode video from 1990s LucasArts video games. I think it's unreasonable to expect the maintainers to drop everything to fix a bug in a codec that most people will never use. If the trillion-dollar companies sending AI-generated CVE reports care so strongly about getting them fixed ASAP, they should really be fixing them themselves.

estimator7292 1 day ago||

You're completely missing the point.

The problem isn't that volunteer devs are harassed into work.

The problem is being harassed.

Whether or not you "care" or feel the need to do any work or accept responsibility, constant harassment will destroy anyone, even you.

ndiddy 1 day ago|||

My hope is that if they started responding to CVE bug reports for hobby codecs with something like “This is a codec written by someone in his free time and intended to be used for preservation purposes. We do not support using this codec with untrusted input and may not implement a fix for this bug within the 90 day CVE timeline”, it would stop the harassment. The companies doing the CVE spam would either have to start fixing things themselves, contract someone to do so, or stop using ffmpeg due to all the scary CVEs getting flagged in whatever bullshit security compliance standard they use.

phil21 1 day ago||

It would not stop the harassment at all. These reports are effectively free for the originating organization to write using AI - and some low level junior looking for promotion within said org will be highly motivated to pump those metrics up come review time.

You’d have to basically blacklist these orgs from all bug reports and maybe open it up to a select few known trusted senior resources that care more about their personal reputation within the community vs. corporate politics.

bawolff 1 day ago|||

Getting a polite bug report is not being harrased.

hitekker 22 hours ago|||

> This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2025-11-20 [https://issuetracker.google.com/issues/436510153]

Sounds like a threat to me. ffmpeg is a tiny team and Google is a goliath. Not to mention Google has used their AI to spam the same threat, about 8 times in the last few months https://ffmpeg.org/security.html

bawolff 17 hours ago||

Google is hardly the first people to come up with the notion of responsible disclosure. Whether you agree or not with the practise, the goal is to balance the needs of the maintainer with the needs of consumers. In practise such practises have massively boosted security of computer systems.

There is a lot of historical context with this sort of thing that has lead to systems like this that has nothing to do with google.

Besides google did not sign an NDA, they aren't under any obligation to keep anything secret. 90 days is a courtesy. They are fully within their rights to just publish their findings immediately if they felt like it.

x0x0 1 day ago|||

Fix it or we publish exploit code is not far off.

bawolff 1 day ago|||

Well either you care about security or you don't.

If you don't then your users should have the right know, so they can decide for themselves whether or not the risk is worth it.

Do you think that just because a project doesn't disclose something it goes away, or that if google can find the bug that much better funded groups like the NSA or malware vendors can't. Shoving things under the rug is the worst outcome.

x0x0 1 day ago||

What absolute nonsense. There's a gulf of difference between "there's no way 500+ codecs contributed mostly by unpaid hobbyists is robust to hostile input" and "here's working exploit code."

nradov 1 day ago|||

So let them publish exploit code. What's the problem?

eviks 20 hours ago|||

There is no law you can't complain about lack of help on Twitter

Also, could you quote the request to sweep bugs under the rug?

The main ask seems to be "send patches" later in the thread

haskellshill 1 day ago|||

What does it matter if it's AI generated if it's a real bug? The problem with AI reports is usually that they're invalid; in this case it was an actual bug.

> currently have zero real-world impact

So better we not talk about them until someone bothers to write an exploit for it?

> the "researchers" didn't even bother to write a patch/fix

If it has no real-world impact and thus shouldn't even be reported, then why does it need to be fixed?

yeasku 1 day ago||

ffmpeg is getting DDOS'd by AI generated security CVEs.

Not by classic bug reports.

rurban 1 day ago||

It's a pretty good report by bigsleep. It even comes with a good explanation and reproducer.

I like to get such reports from the occasional fuzzer. Just ignore the CVE, it's a bug

tehbeard 1 day ago||

> Recieving vuln reports is a gift.

A real gift would be to include a patch for it. Not just to run off into the sunset.

haskellshill 1 day ago||

[flagged]

cebert 2 days ago||

It looks like the FFmpeg account on X is calling out Google for using AI to mass-report CVEs in obscure volunteer maintained codecs, then expecting unpaid maintainers to rush fixes. Large, profitable firms rely on FFmpeg everywhere, but don’t seem to be contributing much to the project.

socalgal2 2 days ago||

A quick search of the ffmpeg commit history shows google has made plenty of contributions to ffmpeg. They may or may not provide a patch for this CVE but reporting it is the first step so people can then decide what action to take (like don't compile that codec in for example)

joatmon-snoo 2 days ago|||

No, this is the unfortunate reality of “ffmpeg is maintained by volunteers” and “CVE discovered on specific untrusted input”.

Google’s AI system is no different than the oss-fuzz project of yesteryear: it ensures that the underlying bug is concretely reproducible before filing the bug. The 90-day disclosure window is standard disclosure policy and applies equally to hobby projects and Google Chrome.

haskellshill 2 days ago||

Yeah, it's actually a great bug report. Reproducible and guaranteed to be an actual problem (regardless of how small the problem is considered by the devs). Just seems irresponsible to encourage people not to file bug reports if it's "insignificant". Why even accept reports then?

hdgvhicv 1 day ago||

“This is broken, here’s how I fixed it”

Vs “this is broken, you gave 90 days to fix it”

If you can’t see the difference you’re the existential threat to Free software that stems from the trillion dollar industries that just take.

haskellshill 1 day ago||

> you have 90 days to fix it

Or else what? They release the report? That's standard and ffmpeg is open source anyway, anybody can find the bug on their own. There's no threat here.

If you're mad about companies using your software, then don't release it with a license allowing them to use it. Simple as that. I don't understand how people can complain about companies doing exactly what you allowed them to do.

blueg3 1 day ago|||

I don't think Google is expecting anything here.

They run Big Sleep to find security vulnerabilities in projects they care about. It seems -- mostly from reading this issue's details -- that the finding is pretty high quality. Once a vulnerability is found, there's a duty to disclose the existence of the vulnerability to the project maintainers and, eventually, to the public within a reasonable timeframe.

The alternatives here are: not searching for the vulnerabilities in the first place; keeping the knowledge of the vulnerability secret; or notifying the public without the project maintainers having the opportunity to fix the vulnerability first. All of these are worse.

It's unlikely that Google cares about a vulnerability like this -- ffmpeg is probably run sandboxed and probably with a restricted set of codecs. So they're unlikely to spend engineering resources fixing it.

The project maintainers are under no obligation to actually fix the bug. The deadline is simply that the vulnerability will eventually be made public, even if it is not fixed. That's standard responsible disclosure and, again, is better than the alternatives.

TZubiri 2 days ago||

You think google uses ffmpeg for youtube?

Telaneo 1 day ago|||

They did once upon a time atleast.[1] Most videos probably go through dedicated hardware nowadays, but it wouldn't surprise me if some videos still have to go the FFmpeg route that catches all the videos that the dedicated hardware can't handle.

[1] https://web.archive.org/web/20110315155125/https://multimedi...

joatmon-snoo 2 days ago|||

They do.

defrost 2 days ago||

Full build with all the codecs, or a custom build with a limited vetted set?

Telaneo 1 day ago||

Does it matter?

Like, I don't expect Google to deliver patches for FFmpeg beyond bug fixes or features that directly benefit them, but that's the least you can expect.

defrost 1 day ago||

It matters to Google if they process public submitted videos using FFmpeg codecs that can be exploited.

One would expect Google to only use FFmpeg with vetted codecs and to either reject videos with codecs that have untrusted FFmpeg modules or to sandbox any such processing, both for increased safety and perhaps to occassionally find new malware "in the wild".

mappu 2 days ago||

Kostya (ex-FFmpeg developer)'s take on the behaviour of the FFmpeg twitter account: https://codecs.multimedia.cx/2025/11/ffpropaganda/

hitekker 1 day ago||

I'm not sure if Kostya's account is truthful. He has a huge axe to grind against ffmpeg https://blog.pkh.me/p/13-the-ffmpeg-libav-situation.html

IIRC, his "LibAV" fork was malicious and his people lied a lot to the community ("ffmpeg is now deprecated!"). Ultimately, they failed, but I see a lot of their rhetoric and resentment in Kostya's post today.

mappu 19 hours ago||

This isn't my place to argue, and certainly he was involved at the time, but LibAV wasn't really "his fork". Reading the full list of names who signed off https://lwn.net/Articles/423703/ I'm more interested in some other names, including darkshikari's deadname and the other heavy hitters of x264.

And if you browse through the ffmpeg mailing list of that historic month https://ffmpeg.org/pipermail/ffmpeg-devel/2011-January/ you'll find his name mostly attached to esoteric video game format patches and not in the big flamewar threads.

Actually - it looks like you can also see in that same month, his post of the first SMUSH codec implementation, that we're discussing in this thread. That's probably a bigger emotional factor than LibAV.

hitekker 8 hours ago||

Kostya fanned the flames https://codecs.multimedia.cx/2011/10/why-ffmpeg-is-better-th... As for "his" ownership, I think LibAV was a failure each team member should own and comes to terms with.

That's my point and also why I won't dig more. The author hasn't come to terms with his bad experience with ffmpeg, in LibAV or otherwise. Whatever the baggage is, it feels quite messy and heavy. It weighs down the article, with too much bitterness and resentment. That could work for self-therapy, less so for a credible account. As he confesses at the end:

> I wrote this post with an ulterior motive—I don’t want to feel shame when remembering that I took part in that project. So far though the more I hear about it the more disgusted I become.

pityJuke 2 days ago|||

it’s very… sad, i guess, watching a lot of software engineering discourse on social media (at least, what I see from Twitter) just become this attention grabbing shitposting. ffmpeg is very much a big player in this field, and it has paid off handsomely - those tweets are often popular on site, and shared across other social media.

Ygg2 2 days ago||

> paid off handsomely

Paid off how? Did they get more funding? More contributors?

cratermoon 1 day ago||

"exposure"

casey2 2 days ago|||

Wow these people have a lot of free time... shouldn't they be programming?

vreg 2 days ago|||

He sounds bitter.

secondcoming 2 days ago||

The most interesting part of that is the admission that they used decompilers to reverse engineer the codecs. I wonder if makign that output freely available is legal.

ronsor 1 day ago||

Reverse engineering for interoperability is generally legal. Even if not, copyright does not follow the "fruit of the poisoned tree" idea, so if the new code isn't substantially similar to the original, it doesn't matter.

gnfargbl 2 days ago||

FFmpeg seem to be taking the position that their code must be considered insecure in production unless you pay them for security consulting [1].

On the one hand, that's fine; it's their project, and if attack surface is not a priority for them, or they want to monetise that function, then nobody else has a right to complain.

On the other hand, we have plenty of evidence that untrusted input validation bugs pose a very high risk to end users. So, for as long as this is their policy, FFmpeg code really should not be included in any system where security is at all important. Perhaps we need a "fundamentally unsafe for use" sticker for OSS projects taking this stance?

[1] https://x.com/FFmpeg/status/1984425167070630289

vreg 2 days ago||

All code should be considered potentially vulnerable, that's why we have so many layers of exploit mitigation from the compiler to the runtime environment to the overall design of the system the code is running in.

TZubiri 2 days ago||

> unless you pay them

You can't pay for the software

>"FFmpeg is not available under any other licensing terms, especially not proprietary/commercial ones, not even in exchange for payment"

https://www.ffmpeg.org/legal.html

gnfargbl 2 days ago|||

I edited my post to make the nature of the requested payment clearer.

mkl 2 days ago||

Not sure why the Twitter account is complaining about this now. Maybe it's part of a bigger sequence of issues? This particular one was resolved pretty quickly, back in August.

The Google bug report is dated August 21: https://issuetracker.google.com/issues/440183164

There are FFmpeg commits apparently fixing the sanm codec problem within a day or so: https://github.com/FFmpeg/FFmpeg/commits/140fd653aed8cad774f...

Earlier, on August 20, there are FFmpeg fixes for other issues in the same codec apparently also found by Google (by fuzzing not AI?): https://github.com/FFmpeg/FFmpeg/commit/5f8cb575e83a05bc95b8..., https://github.com/FFmpeg/FFmpeg/commit/e726f7af17b3ea160b6c...

GeekyBear 2 days ago||

Those who do not learn from Stagefright are doomed to repeat it.

https://en.wikipedia.org/wiki/Stagefright_(bug)

hdgvhicv 1 day ago||

Why didn’t one of the ffmpeg developers that Google employs fix the bug?

I assume Google has several full time ffmpeg developers given how much they rely on it.

GaryBluto 2 days ago|

Rather unprofessional for an official project twitter account to complain about "slop"

> We take security very seriously but at the same time is it really fair that trillion dollar corporations run AI to find security issues on people's hobby code? Then expect volunteers to fix.

Yes. If a vulnerability exists, it's wise to report it. You don't need to fix it immediately (nobody has got a gun to your head) but just because it isn't likely to be exploited doesn't mean it isn't there. While it'd be nice if Google contributed, if I had to choose between Google doing this and doing nothing, I'd choose this.

> Is it really the job of a volunteer working on hobby 1990s codec to care about Google's security issues? Or anyone's?

It isn't "Google's security issues", it's a FFmpeg security issue. The tone from this account is incredibly childish.

This exchange was what shocked me the most:

Person 1:

> If someone sends me cutekitten.mp4, but it is actually not an mp4 file, but a smush file using an obscure 1990s hobby codec, could the bug be exploited if I just run ffplay cutekitten.mp4?

FFmpeg:

> Is it the job of volunteers working on game codecs in their free time as a hobby to fix Google's AI generated bug reports?

Completely dodging the question.

Klonoar 2 days ago||

I feel like you’re misunderstanding their point.

It’s not that the vulnerability was found and reported, it’s that a trillion plus dollar organization that no doubt actively uses ffmpeg in a litany of spaces is punting the important work of fixing it to volunteers.

This is the same issue that we’re seeing over with XSLT in Chrome: they’re happy when they’re making money off the back of these projects but balk when it comes down to supporting them.

(Yes, everyone is aware Google contributes to open source. They’re still one of the most valuable companies to ever exist, there is almost no excuse for them getting away with this trade off)

Dylan16807 1 day ago|||

It would be nice if they helped fix it, and maybe they don't help enough in general?, but as ffmpeg says this specific codec is just a hobby project for ancient obscure files. **Google gains zero value from this codec.** Disabling it would be plenty to fix the problem on their end.

But that would leave everyone else vulnerable, so they report it. Reporting real problems is a good thing.

haskellshill 2 days ago|||

Google found a vulnerability and reported it for free. Why do they need to do anything more? Give and inch and ffmpeg's twitter guy requests a mile. If you don't want people to use your software to make money, release it with a license that prohibits that.

Klonoar 1 day ago||

> If you don't want people to use your software to make money, release it with a license that prohibits that.

Or, y'know, the project could balk at a trillion dollar company expecting them to do free work.

Cuts both ways.

Rebelgecko 19 hours ago||

What expectation? Giving someone a heads up about a bug isn't a demand to fix it

fabrice_d 2 days ago|||

It is absolutely Google's security issue if they use an open source project with that license:

https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/COPYING....

and then expect volunteers to provide them fixes.

joatmon-snoo 2 days ago|||

Google never asked a volunteer for a fix.

This is part of Google’s standard disclosure policy: it gets disclosed within 90 days starting from confirmation+contact.

If ffmpeg didn’t want to fix it, they could’ve just let the CVE get opened.

GaryBluto 2 days ago|||

It's not just Google who could be affected by this.

> and then expect volunteers to provide them fixes.

Expect volunteers to provide everyone using the software with fixes.

sillywabbit 2 days ago||

For a bug in the LucasArts Smush codec? Why didn't you verify it was an mp4/h264 first?

TZubiri 2 days ago||

Mp4 is an envelope codec, so it could be both an mp4 and an obscure codec

herpessimplex10 2 days ago|||

Kindly do the needful and update ticket in Jira when complete.

execution 2 days ago|||

Nah, I think they can rant as much about it as they want, nothing is unprofessional on Twitter - have you seen the state of of it?

Actually I think they are using correctly, you are suppose to post something to provoke the most reactions you can.

But getting back to the point, I agree, it is not really a problem if you actually verified your input before blindly running ffmpeg on it - like people are not just downloading random files and running ffmpeg on it are they?! You would think if you are rolling ffmpeg into production code you would know the ins and outs of it.

Anyways I feel for those open-source maintainers, they must have so deal with so much noise.

vreg 2 days ago|||

This is a volunteer-run open source project. Your expectations are unrealistic and, to be quite frank, offensive.

spongebobstoes 2 days ago|||

What are their expectations, and which are unrealistic?

It reads to me like the only expectation is civility, not even necessarily an expectation of fixing it.

If Google can identify a vulnerability, what should they do? If they don't report it, they're effectively stockpiling weapons.

I'd wager that every usage of ffmpeg in Google infra is sandboxed, so calling this "Google's problem" seems silly to me.

Google can't be responsible for fixing everyone's sloppy C code.

GaryBluto 2 days ago|||

If a volunteer-run project wants to be full of CVEs and inevitably bleed users because of it, fine, but to whine about someone reporting a CVE in the first place is ridiculous. I'm not annoyed they haven't fixed it, I'm annoyed they're complaining about the problem being acknowledged.

haskellshill 2 days ago|||

Yeah, I mean if it's an actual vulnerability what are they complaining for?

paradox460 2 days ago||

You get what you pay for.

More comments...