21 Zero-Days in FFmpeg
19 points by sanxiyn
19 points by sanxiyn
It's very sleazy to call these "zero-days" to play up the scariness factor. They're just bugs that could be vulnerabilities. A "zero-day" usually refers to an attack using an unknown vulnerability, not a bug that is being reported by a security researcher. Usually we call bugs submitted by security researchers "bugs" or "vulnerabilities", not "zero days". On top of that, they are pretty generously padding their numbers by reporting 12 of these issues as "zero-days" when:
The remaining issues are fixed, but we do not have CVE identifiers assigned yet.
I don't think you can call something a "zero" day when it was fixed 30+ days ago.
It's also pretty damning that their proof of attack viability is using a bug that was reported by a PhD student and fixed a month ago: https://github.com/FFmpeg/FFmpeg/commit/18761f9fb55c697243acd41689fbee6a6d6f13ca
A reminder that properly sandboxed, these issues are not so severe. If you only rely on bug-free code to keep you secure you will have a bad time. Defence in depth is needed.
It seams unlikely that this team found the exact same 21 bugs with solely original research. Why not one fewer or more? Or an intersecting set?
Does it say in the post that they're the exact matching 21? They only list 13 with already assigned CVEs.
The remaining issues are fixed, but we do not have CVE identifiers assigned yet.
Sounds like someone else found them before them. At least they havenāt found any new ones, but also in the linked article from Anthropic there is no mention of any specific number.