Dec 17, 2021, 3:25 PM by an...@khirnov.net: > Quoting Pierre-Anthony Lemieux (2021-12-15 21:41:25) > >> On Wed, Dec 15, 2021 at 12:20 PM Anton Khirnov <an...@khirnov.net> wrote: >> > >> > Quoting Pierre-Anthony Lemieux (2021-12-15 01:17:26) >> > > > >> > > > Now the question is whether a malicious attacker can craft those two >> > > > files to get access to anything they shouldn't. I suppose at the very >> > > > least the attacker can get information that the user opened the file >> > > > (by >> > > > adding an asset on an attacker's server) but that will be a danger with >> > > > any playlists allowing network resources and can be controlled with >> > > > io_open(). Can you think of any other possible issues? >> > > > >> > > >> > > Some security considerations: >> > > >> > > - a DDoS can conceivably occur if a malicious CPL+ASSETMAP is widely >> > > distributed. Both an ASSETMAP and a CPL are required since (a) the CPL >> > > does not contain paths/hyperlinks and (b) only those resources >> > > referenced by the CPL are fetched using the ASSETMAP. >> > > - the CPL uses XML, which has its own security considerations. For >> > > example, XML parsing can result in entities being fetched over the >> > > network, but this is disabled by default in libxml AFAIK. >> > >> > This is concerning. From a brief glance at libxml2, it seems that you >> > need to pass XML_PARSE_NONET as the last parameter to xmlReadMemory() to >> > actually disabling network fetching. >> > But it is possible I'm misreading the code, so if you or anyone else >> > understands this better then clarifications are welcome. >> >> I was referring to entity expansion and the loading of DTDs being >> disabled by default -- see XML_PARSE_NOENT and XML_PARSE_DTDLOAD at >> [1-2]. >> > > Okay then. If nobody has further comments, I will push your latest patch > in a few days. >
I think this shouldn't get merged into 5.0. It would get minimal amount of fuzzing if it does now, so let's leave it for a later release? I'd still like to see libuuid being used, we have several uses for it already. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
