| ▲ | zerobees 7 hours ago |
| Ffmpeg has an exceptionally terrible track record when it comes to security. People have been throwing fuzzers at it for as long as I remember and coming back with a nearly inexhaustible supply of memory corruption bugs. Here's an effort by one Googler a decade ago: https://security.googleblog.com/2014/01/ffmpeg-and-thousand-... So, while it's a demo of the capabilities of LLMs, this should not be at all surprising. Ffmpeg is absolutely not something you should be running outside of a sandbox if you're touching any untrusted or user-supplied content. I know that people do, and these people are taking unreasonable risks. |
|
| ▲ | teravor 26 minutes ago | parent | next [-] |
| while sandboxing ffmpeg directly isn't difficult, unfortunately with something like MPV/VLC that uses ffmpeg it's more challenging. until recently (virtio gpu native context) it wasn't even possible to sandbox a video player without losing all hardware acceleration. at least not from the outside, they could always try to sequester ffmpeg and seccomp it to hell like chromium. |
|
| ▲ | oinoom 4 hours ago | parent | prev | next [-] |
| Funny, John Carmack was just admiring the creator of ffmpeg the other day for being a better programmer. https://x.com/id_aa_carmack/status/2064095424420487226?s=46 |
| |
| ▲ | mjg59 28 minutes ago | parent | next [-] | | The majority of code in ffmpeg today isn't written by Fabrice, but also there's multiple axes that people view programming ability on. Some people can write software that will do things you couldn't imagine given the constraints. Some people can write software that is resilient against all malformed input. Sometimes these people are the same people, but frequently they're not. | |
| ▲ | tptacek 4 hours ago | parent | prev | next [-] | | One thing has nothing to do with the other. | | | |
| ▲ | wavemode 3 hours ago | parent | prev | next [-] | | Security vulnerabilities are less about programming ability and more about rigor. | |
| ▲ | pibaker 2 hours ago | parent | prev [-] | | Famous man whose last impactful work was decades ago and spent years on meta's sinking metaverse boat said so, so it must be true. | | |
| ▲ | plaguuuuuu 38 minutes ago | parent | next [-] | | Can't help laughing at a random ad hominem against John Carmack of all people, and about his opinion on a guy who is already widely regarded as an especially talented programmer. | |
| ▲ | zerobees an hour ago | parent | prev | next [-] | | I don't think that's fair. There's a lot of talent and grit behind ffmpeg. But for better or worse, getting the code to do what it's supposed to do requires a different mindset than getting it to not do anything else (i.e., to handle malicious inputs correctly). The developers of ffmpeg are very good at the first thing and not very good at the second. But few people on this planet, if instructed to write a complex video format parser in C or assembly, can produce something that's secure on the first try. The main failing of the ffmpeg team is that they should have spent more time on architectural hardening and mitigations. Most other large projects of this type do. | |
| ▲ | endofreach an hour ago | parent | prev | next [-] | | So who is someone who's opinion is worth anything to you? Except yourself, presumably, to me it almost seems nobody is perfect. | | |
| ▲ | pibaker an hour ago | parent [-] | | On this subject I'd at minimum expect someone with experience in security. Not someone most famously known for making toys that run on computers. | | |
| ▲ | bravoetch an hour ago | parent [-] | | I've seen a lot of things written about Carmack over the last 30+ years, not one comment this casually dismissive until today. |
|
| |
| ▲ | an hour ago | parent | prev [-] | | [deleted] |
|
|
|
| ▲ | loeg 7 hours ago | parent | prev | next [-] |
| They're also extremely hostile to security researchers who report these issues. |
| |
| ▲ | insanitybit 6 hours ago | parent | next [-] | | https://x.com/ffmpeg/status/2039115531744334180?s=46&t=qCSkw... Security is the punch line for ffmpeg. | | |
| ▲ | grahamjperrin 6 hours ago | parent | next [-] | | I'm glad to see their sense of humour :-) https://nitter.net/ffmpeg/status/2039115531744334180 | | |
| ▲ | KPGv2 4 hours ago | parent [-] | | > Assembly is a human readable version of machine code. It's exactly the same. goddamn, and this is a project that prides itself on having had-written assembly in it | | |
| ▲ | breppp 2 hours ago | parent [-] | | There's certainly assembly that maps directly to the machine language bytes, I assume you are talking about the version of assembly with the high level loop macros | | |
| ▲ | rcbdev 2 hours ago | parent [-] | | In some circles, High Level Assembly (HLA) is lovingly called "Mainframe Assembly". |
|
|
| |
| ▲ | stackghost an hour ago | parent | prev | next [-] | | In their defense, the "rewrite it in rust" crowd can be really grating. | |
| ▲ | hootz 6 hours ago | parent | prev | next [-] | | Oh my god! They are so funny and memeable! gets RCE'd | |
| ▲ | KPGv2 4 hours ago | parent | prev [-] | | Apr Fools Day really is the shittiest day to be online. For one thing, practical jokes/pranks are just gussied-up asshole behavior. For another thing, nerds generally SUCK at information-delivery pranks, which is what the Internet is full of on Apr 1. |
| |
| ▲ | lkt 3 hours ago | parent | prev | next [-] | | The guy running the twitter account is incompetent but the actual devs are a lot saner I think. I agree it reflects poorly on them though | |
| ▲ | grahamjperrin 6 hours ago | parent | prev | next [-] | | > … hostile to security researchers who report these issues. Do you have an example? | | |
| ▲ | lukaslalinsky 2 hours ago | parent | next [-] | | I don't have an example, but I know the pattern. You are working on your software, security researcher finds a bug, it's in your project, for you it's just another bug, but for them it's a point on their CV, so they make a theater about it, and expect priority in dealing with it. It must get tiring if you get many of these. | |
| ▲ | naturalmovement 5 hours ago | parent | prev [-] | | I have numerous examples of security researchers being hostile and impossible to work with (but cannot share them unfortunately). |
| |
| ▲ | duped 3 hours ago | parent | prev [-] | | One dude running an X account is not indicative of a community to be honest. That said, that dude has a point. "Researchers" chasing clout with their names attached to CVEs is kind of ridiculous. Half these CVEs are missing bounds checks that can be fixed with a patch in as much effort as writing up the blog post announcing that there was a missing bounds check. | | |
| ▲ | boomlinde 3 hours ago | parent [-] | | I guess that the perceived problem from a security perspective is that they're there, not that they're necessarily hard to fix once found. |
|
|
|
| ▲ | endofreach an hour ago | parent | prev | next [-] |
| Of course. Everybody knows to rather use the obvious alternative to ffmpeg! |
|
| ▲ | nerdsniper 6 hours ago | parent | prev | next [-] |
| Is GStreamer a more secure alternative or does it just get a bit less attention than ffmpeg? |
| |
| ▲ | derf_ 3 hours ago | parent | next [-] | | Any multimedia project trying to support a large number of formats, whose usage in the wild differs by orders of magnitude, is going to have code of varying quality (although quality is not strictly correlated with usage: age and complexity are also big factors, among others). GStreamer puts plugins into different categories (-good, -bad, etc.) based on things like the maturity of the code, which helps you judge what risks you are taking. With FFmpeg it is harder to know which formats are more likely to have issues. Of course GStreamer can use FFmpeg, in which case you will also have all of FFmpeg's problems. In both cases you are best off restricting things to what you actually use. | |
| ▲ | WD-42 5 hours ago | parent | prev | next [-] | | From what I understand gstreamer is more about building complex pipelines and plugins, ffmpeg is better at playing some obscure 20 year old video format extremely efficiently so you can watch it compiled for a potato. Different cases really I think both are good. | | |
| ▲ | hackernudes 4 hours ago | parent [-] | | That's not really true. Ffmpeg is a Swiss army knife for anything related to digital multimedia (old and new). It is broken into a few libraries but doesn't really have plugins. Gstreamer has a different model, chaining together plugins. Lots of overlap, but I think Gstreamer only has real traction because some silicon vendors use it. |
| |
| ▲ | hugmynutus 3 hours ago | parent | prev | next [-] | | GStreamer is just a different front end to ffmpeg. ffmpeg's core functionality (encode, decode, streams, pipes, channels) are all implemented in `libav` which gstreamer links against. | | |
| ▲ | harrall 3 hours ago | parent [-] | | GStreamer doesn’t use ffmpeg’s pipeline at all. It implements a much more advanced directed graph with disconnect, connection and pad negotiation. You can dynamically swap out the entire filter graph during live playback with zero disruption. Swap feeds, outputs, effects… all at runtime. ffmpeg and other media frameworks (Windows Media Foundation, Apple’s AVFramwork) only support static pipelines. You can use “switcher” components but the inputs are still static. GStreamer is extremely special. The only thing that comes close was Microsoft’s DirectShow, which has since been replaced with Media Foundation which can’t do it. And while DirectShow did support it, it was fragile because many 3rd party filters did not support dynamic configuration. GStreamer does use ffmpeg, but it just wraps the core encoder/decoder/filter code and discards the streams/graph/pipe part of ffmpeg. |
| |
| ▲ | wmf 4 hours ago | parent | prev | next [-] | | Doesn't GStreamer mostly use ffmpeg plugins? | |
| ▲ | ranger_danger 5 hours ago | parent | prev [-] | | In my experience it's mainly run by very grumpy and opinionated Europeans who take pride in having bugs old enough to drink. |
|
|
| ▲ | bitwize 2 hours ago | parent | prev | next [-] |
| Time to RIIR, then? |
| |
| ▲ | anonymousiam 2 hours ago | parent [-] | | I haven't seen that acronym before, but my guess is that it's "Re-Implement In Rust", right? | | |
| ▲ | erk__ an hour ago | parent [-] | | Usually it's Rewrite it in Rust, but both work I guess |
|
|
|
| ▲ | 6 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | cubefox 3 hours ago | parent | prev | next [-] |
| > Ffmpeg is absolutely not something you should be running outside of a sandbox if you're touching any untrusted or user-supplied content. You would change your opinion quickly if your browser, apps and TV suddenly stopped supporting videos due to relying on FFmpeg. |
| |
| ▲ | defrost 3 hours ago | parent [-] | | What prevents running a data stream in, transcoded data out sandbox with no access to unlimited resources, system files, system stacks, etc. It's okay for a sandbox to fall over due to bad inputs and poor memory security if it can just be restarted and move onto other streams. | | |
| ▲ | ReactiveJelly 2 hours ago | parent [-] | | I think Chromium already does sandbox ffmpeg in the renderer process because of their "Rule of Two": https://chromium.googlesource.com/chromium/src/+/HEAD/docs/s... Thus: 1. Code which processes untrusted input 2. Code written in unsafe languages like C or C++ 3. Code that runs without a sandbox So ffmpeg should be sandboxed, same as the network code and GPU process are sandboxed. | | |
| ▲ | defrost an hour ago | parent [-] | | I completely agree, with regard for the GP's point about Android TV's with onboard ffmpeg libraries and Addon Apps that call on said libraries (or pull in their own) .. Cheap arse low resource TVs should either include some form of sandboxing OR the entire device should be treated as a "can fall over" sandbox .. well isolated from any household LAN of consequence, etc. It seems unlikely that BoxStore Brand Android TVs will be well designed with an eye to security so <shrug> they're an exercise for home net admin masochists and/or an opportunity to market sensible easy to use IoT age routers that come preconfigured to handle bad-device(s). | | |
| ▲ | cubefox 44 minutes ago | parent [-] | | Am I getting this right, you expect TVs which are running Google TV (Android TV is the old name) to be less secure than TVs which are running a different operating system? I think the opposite is the case, because Google TV is developed by Google, which has a lot of experience with software security, while other TV operating systems are developed by companies which clearly don't have that experience. | | |
|
|
|
|
|
| ▲ | anon-3988 4 hours ago | parent | prev | next [-] |
| Doesn't this negate all the amazing muh assembly hacking that they do lol |
|
| ▲ | mkagenius 5 hours ago | parent | prev | next [-] |
| [flagged] |
| |
|
| ▲ | naturalmovement 6 hours ago | parent | prev | next [-] |
| If there was a nearly inexhaustible supply of Indian security researchers emailing you a nearly inexhaustible supply of LLM slop daily, there is a point where you or I would stop caring too. ffmpeg is Free Software. You are also free not to use it. Oddly enough, despite all these endless grievances, no one has come up with a better or more capable tool, certainly not one that is freely available. Evidently no one cares either, because most implementations of ffmpeg I've seen typically run it as root "because we have to". Don't worry we use Docker bro. |
| |
| ▲ | LeoPanthera 6 hours ago | parent | next [-] | | [flagged] | |
| ▲ | bawolff 6 hours ago | parent | prev [-] | | > nearly inexhaustible supply of LLM slop daily, Actual well written vulnerability reports are not the same as slop. AI slop is a real problem and annoying. Just because it exists does not mean every vulnerability report is AI slop. Ffmpeg devs are free not to care, but then they cant complain when they start to get a bad reputation. | | |
| ▲ | naturalmovement 6 hours ago | parent [-] | | > AI slop is a real problem and annoying. Just because it exists does not mean every vulnerability report is AI slop. Ok but who is going to sift through it all to triage the good bits when you're working on something for free? > Ffmpeg devs are free not to care, but then they cant complain when they start to get a bad reputation Who gives a shit about reputation when you're the only game in town? There is nothing out there that even attempts to approximate an ffmpeg clone. They are the Swiss army knife of media encoding and all complainers have produced are plastic sporks. | | |
| ▲ | bawolff 4 hours ago | parent [-] | | > Ok but who is going to sift through it all to triage the good bits when you're working on something for free? Its like anything else in open source. Maintainers will do so if they care. Maybe they decide they don't care. That is always their decision to make but there are consequences for the project. Maybe those consequences make sense. Being a maintainer is all about making cost-benefit trade offs. > Who gives a shit about reputation when you're the only game in town? Its up to the maintainers whether they care or not. It depends on what they value. Ultimately if maintainers make decisions that are at odds with what their userbase want, someone eventually forks and people vote with their feet. | | |
| ▲ | naturalmovement 4 hours ago | parent | next [-] | | Security is a bit different. Today it's an industry driven by unscrupulous clout-chasers and a commitment to quantity over quality. There is a difference between going through patches and pull requests vs. the endless stream of LLM-assisted bullshit that has started cluttering security inboxes in the last few years. | | |
| ▲ | tptacek 4 hours ago | parent [-] | | Vulnerability researchers don't create the vulnerabilities they report. The vulnerabilities exist whether or not they're reported by "clout chasers". |
| |
| ▲ | eipi10_hn 3 hours ago | parent | prev [-] | | Yes, and people will sit there and sip tea while waiting for "someone"? For how long? | | |
| ▲ | bawolff 2 hours ago | parent [-] | | > Yes, and people will sit there and sip tea while waiting for "someone"? For how long? Until someone cares enough to do it. This is open source software. When it comes to open source, the golden rule is you either do the things you care about yourself or stfu. Given the libav fork wasn't all that long ago, it can obviously happen to ffmpeg just as much as it can happen to any other project. |
|
|
|
|
|
|
| ▲ | gerdesj 6 hours ago | parent | prev [-] |
| ffmpeg is also rather popular and delivers a lot of functionality. Its unlikely that you don't have it installed. Yes, there are security issues but quite a few are not ffmpeg itself related - the input is pretty shabby or at least not exactly easy to deal with! Obviously, they could do with some assistance and I'm sure you and I will both dive in with equal zeal. |
