On Sat, Jan 25, 2025 at 9:38 PM Michael Niedermayer <mich...@niedermayer.cc> wrote:
> On Thu, Jan 23, 2025 at 10:27:47PM +0100, Michael Niedermayer wrote: > > On Wed, Jan 22, 2025 at 09:36:09PM +0100, Michael Niedermayer wrote: > > > This blocks disallowed extensions from probing > > > It also requires all available segments to have matching extensions to > the format > > > mpegts is treated independent of the extension > > > > > > It is recommended to set the whitelists correctly > > > instead of depending on extensions, but this should help a bit, > > > and this is easier to backport > > > > > > Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer > > > Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification > > > > > > The other parts of CVE-2023-6602 have been fixed by prior commits > > > > > > Found-by: Harvey Phillips of Amazon Element55 (element55) > > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > > --- > > > doc/demuxers.texi | 7 +++++++ > > > libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ > > > 2 files changed, 57 insertions(+) > > > > I intend to apply this patchset soon so it receives some testing before > 7.1.1 > > will apply > Should this be backported to other stable releases since it's a CVE? -- Vittorio _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
