[FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions
Vittorio Giovara
vittorio.giovara at gmail.com
Tue Jan 28 07:11:33 EET 2025
On Sat, Jan 25, 2025 at 9:38 PM Michael Niedermayer <michael at niedermayer.cc>
wrote:
> On Thu, Jan 23, 2025 at 10:27:47PM +0100, Michael Niedermayer wrote:
> > On Wed, Jan 22, 2025 at 09:36:09PM +0100, Michael Niedermayer wrote:
> > > This blocks disallowed extensions from probing
> > > It also requires all available segments to have matching extensions to
> the format
> > > mpegts is treated independent of the extension
> > >
> > > It is recommended to set the whitelists correctly
> > > instead of depending on extensions, but this should help a bit,
> > > and this is easier to backport
> > >
> > > Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
> > > Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
> > >
> > > The other parts of CVE-2023-6602 have been fixed by prior commits
> > >
> > > Found-by: Harvey Phillips of Amazon Element55 (element55)
> > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > ---
> > > doc/demuxers.texi | 7 +++++++
> > > libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
> > > 2 files changed, 57 insertions(+)
> >
> > I intend to apply this patchset soon so it receives some testing before
> 7.1.1
>
> will apply
>
Should this be backported to other stable releases since it's a CVE?
--
Vittorio
More information about the ffmpeg-devel
mailing list