[FFmpeg-devel,RFC] configure: Disable unsafe demuxers by default

These demuxers have probes that mainly probe based on file extension,
and map to codec IDs that render text as video. The result is that
ffmpeg will, by default, happily render, for example, .txt files
as images. This is not exactly a good security practice, an only
makes it easier for potential attackers to gain the contents of
system files.

Disable building these by default.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
---
I've been hard disabling these at $dayjob for a long time, after some
"interesting" upload attempts, but it should probably be done for
everyone.

I'm not overly attached implementaion details like the option name
or whether it's done at build time ot runtime, but I think the concept
of "don't render arbitrary system text files" is an important one.
---
 Changelog     | 1 +
 configure     | 7 +++++++
 tests/fate.sh | 1 +
 3 files changed, 9 insertions(+)

On 5/10/18, Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.
>
> Disable building these by default.
>
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
> ---
> I've been hard disabling these at $dayjob for a long time, after some
> "interesting" upload attempts, but it should probably be done for
> everyone.
>
> I'm not overly attached implementaion details like the option name
> or whether it's done at build time ot runtime, but I think the concept
> of "don't render arbitrary system text files" is an important one.
> ---
>  Changelog     | 1 +
>  configure     | 7 +++++++
>  tests/fate.sh | 1 +
>  3 files changed, 9 insertions(+)
>
> diff --git a/Changelog b/Changelog
> index d442ced..e3f8e83 100644
> --- a/Changelog
> +++ b/Changelog
> @@ -6,6 +6,7 @@ version <next>:
>  - tmix filter
>  - amplify filter
>  - fftdnoiz filter
> +- unsafe demuxers that render text files now disabled by default
>

Against.

On 10 May 2018 at 16:44, Derek Buitenhuis <derek.buitenhuis@gmail.com>
wrote:

> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.
>
> Disable building these by default.
>
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
> ---
> I've been hard disabling these at $dayjob for a long time, after some
> "interesting" upload attempts, but it should probably be done for
> everyone.
>
> I'm not overly attached implementaion details like the option name
> or whether it's done at build time ot runtime, but I think the concept
> of "don't render arbitrary system text files" is an important one.
> ---
>  Changelog     | 1 +
>  configure     | 7 +++++++
>  tests/fate.sh | 1 +
>  3 files changed, 9 insertions(+)
>
> diff --git a/Changelog b/Changelog
> index d442ced..e3f8e83 100644
> --- a/Changelog
> +++ b/Changelog
> @@ -6,6 +6,7 @@ version <next>:
>  - tmix filter
>  - amplify filter
>  - fftdnoiz filter
> +- unsafe demuxers that render text files now disabled by default
>
>
>  version 4.0:
> diff --git a/configure b/configure
> index a1f13a7..2f2805e 100755
> --- a/configure
> +++ b/configure
> @@ -107,6 +107,7 @@ Configuration options:
>    --enable-small           optimize for size instead of speed
>    --disable-runtime-cpudetect disable detecting CPU capabilities at
> runtime (smaller binary)
>    --enable-gray            enable full grayscale support (slower color)
> +  --enable-unsafe-demuxers enable unsafe-by-default demuxers
>    --disable-swscale-alpha  disable alpha channel support in swscale
>    --disable-all            disable building components, libraries and
> programs
>    --disable-autodetect     disable automatically detected external
> libraries [no]
> @@ -1784,6 +1785,7 @@ FEATURE_LIST="
>      small
>      static
>      swscale_alpha
> +    unsafe_demuxers
>  "
>
>  LIBRARY_LIST="
> @@ -3100,6 +3102,7 @@ videotoolbox_encoder_deps="videotoolbox
> VTCompressionSessionPrepareToEncodeFrame
>
>  # demuxers / muxers
>  ac3_demuxer_select="ac3_parser"
> +adf_demuxer_deps="unsafe_demuxers"
>  aiff_muxer_select="iso_media"
>  asf_demuxer_select="riffdec"
>  asf_o_demuxer_select="riffdec"
> @@ -3107,6 +3110,7 @@ asf_muxer_select="riffenc"
>  asf_stream_muxer_select="asf_muxer"
>  avi_demuxer_select="iso_media riffdec exif"
>  avi_muxer_select="riffenc"
> +bintext_demuxer_deps="unsafe_demuxers"
>  caf_demuxer_select="iso_media riffdec"
>  caf_muxer_select="iso_media"
>  dash_muxer_select="mp4_muxer"
> @@ -3124,6 +3128,7 @@ flac_demuxer_select="flac_parser"
>  hds_muxer_select="flv_muxer"
>  hls_muxer_select="mpegts_muxer"
>  hls_muxer_suggest="gcrypt openssl"
> +idf_demuxer_deps="unsafe_demuxers"
>  image2_alias_pix_demuxer_select="image2_demuxer"
>  image2_brender_pix_demuxer_select="image2_demuxer"
>  ipod_muxer_select="mov_muxer"
> @@ -3167,6 +3172,7 @@ swf_demuxer_suggest="zlib"
>  tak_demuxer_select="tak_parser"
>  tg2_muxer_select="mov_muxer"
>  tgp_muxer_select="mov_muxer"
> +tty_demuxer_deps="unsafe_demuxers"
>  vobsub_demuxer_select="mpegps_demuxer"
>  w64_demuxer_select="wav_demuxer"
>  w64_muxer_select="wav_muxer"
> @@ -3176,6 +3182,7 @@ webm_muxer_select="iso_media riffenc"
>  webm_dash_manifest_demuxer_select="matroska_demuxer"
>  wtv_demuxer_select="mpegts_demuxer riffdec"
>  wtv_muxer_select="mpegts_muxer riffenc"
> +xbin_demuxer_deps="unsafe_demuxers"
>  xmv_demuxer_select="riffdec"
>  xwma_demuxer_select="riffdec"
>
> diff --git a/tests/fate.sh b/tests/fate.sh
> index 0edee7f..6a99d66 100755
> --- a/tests/fate.sh
> +++ b/tests/fate.sh
> @@ -49,6 +49,7 @@ configure()(
>          --enable-gpl                                                    \
>          --enable-memory-poisoning                                       \
>          --enable-avresample                                             \
> +        --enable-unsafe-demuxers                                        \
>          ${ignore_tests:+--ignore-tests="$ignore_tests"}                 \
>          ${arch:+--arch=$arch}                                           \
>          ${cpu:+--cpu="$cpu"}                                            \
> --
> 1.8.3.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

Could you send a patch to disable the decoders as well?
Looks good otherwise.

On Thu, May 10, 2018 at 6:53 PM, Paul B Mahol <onemda@gmail.com> wrote:
>
> Against.

Hi,

Thank you for your review.

I would recommend you put a bit more effort into explaining which
parts you are opposed to. Think of yourself being on the receiving end
of such comments, how you would like to just get a flat out refusal
without any further details. You do not give the other side any chance
of doing anything, because you have not noted what is wrong with it.

Best regards,
Jan

On 5/10/18, Jan Ekstroem <jeebjp@gmail.com> wrote:
> On Thu, May 10, 2018 at 6:53 PM, Paul B Mahol <onemda@gmail.com> wrote:
>>
>> Against.
>
> Hi,
>
> Thank you for your review.
>
> I would recommend you put a bit more effort into explaining which
> parts you are opposed to. Think of yourself being on the receiving end
> of such comments, how you would like to just get a flat out refusal
> without any further details. You do not give the other side any chance
> of doing anything, because you have not noted what is wrong with it.

I do not like it being disabled by default.

There are options to disable compilation of such modules already.

On Thu, May 10, 2018 at 4:55 PM, Rostislav Pehlivanov
<atomnuker@gmail.com> wrote:
> Could you send a patch to disable the decoders as well?
> Looks good otherwise.

Yeah, I thought about doing that too. I can add that, though the option
will have to be renamed to something else.

- Derek

On Thu, May 10, 2018 at 5:11 PM, Paul B Mahol <onemda@gmail.com> wrote:
> I do not like it being disabled by default.

With all due respect, this is not a valid technical argument, in any respect.

> There are options to disable compilation of such modules already.

We should be defaulting to 'safe/sane by default'. Insecure and insane
defaults are
the cause of a huge number of issues across the web. The onus should not be on
the user to disable/fix all the bad defaults. That's how you become PHP.

- Derek

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

On Thu, 10 May 2018, Derek Buitenhuis wrote:

> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.

Maybe it is better if we simply get rid of the "probing" part, so the user 
would have to explicitly specify the demuxer to use them.

Regards,
Marton

On 5/10/2018 11:17 PM, Marton Balint wrote:
> 
> Maybe it is better if we simply get rid of the "probing" part, so the 
> user would have to explicitly specify the demuxer to use them.

+1

Maybe shift such probes to inside a block and add a new generic lavf 
option to set whether such probes are enabled. Default would to require 
user-set demuxer.

Regards,
Gyan

On Thu, May 10, 2018 at 6:52 PM, Gyan Doshi <gyandoshi@gmail.com> wrote:
> On 5/10/2018 11:17 PM, Marton Balint wrote:
>> Maybe it is better if we simply get rid of the "probing" part, so the user
>> would have to explicitly specify the demuxer to use them.
>
> +1
>
> Maybe shift such probes to inside a block and add a new generic lavf option
> to set whether such probes are enabled. Default would to require user-set
> demuxer.

I don't object to either approach.

- Derek

On Thu, May 10, 2018 at 04:44:59PM +0100, Derek Buitenhuis wrote:
> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.
> 
> Disable building these by default.
> 
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
> ---
> I've been hard disabling these at $dayjob for a long time, after some
> "interesting" upload attempts, but it should probably be done for
> everyone.
> 
> I'm not overly attached implementaion details like the option name
> or whether it's done at build time ot runtime, but I think the concept
> of "don't render arbitrary system text files" is an important one.
> ---
>  Changelog     | 1 +
>  configure     | 7 +++++++
>  tests/fate.sh | 1 +
>  3 files changed, 9 insertions(+)
> 
> diff --git a/Changelog b/Changelog
> index d442ced..e3f8e83 100644
> --- a/Changelog
> +++ b/Changelog
> @@ -6,6 +6,7 @@ version <next>:
>  - tmix filter
>  - amplify filter
>  - fftdnoiz filter
> +- unsafe demuxers that render text files now disabled by default

The problem and the suggested solution seem only somewhat overlapping

please correct me if iam wrong, theres quite a bit iam guessing here
IIUC the problem is that in your usecase 
1. ffmpeg has access to sensitive files
2. one of these files can be opened by an attacker with ffmpeg
2b. This involves the file being probed as a supported format
3. The file is then demuxed, decoded, encoded, muxed
4. the result is given back to the attacker

This patchset removes one of the demuxers involved in the attack

The first problem of this patchset is that it does not provide any
evidence of how the other demuxers probe functions can trigger on
random text files.
for example idf_probe() requires, the first 12 bytes of the file  to
match exactly and some of these are not text. So a attack which depends
on the probing of sensitive text data to succeed should not work with it

The second problem i see is that the patch disables the demuxers, while
disabling the probe functions affected should have the same effect
security wise but is a smaller step in respect to disabling.

The third problem i see is that really once you read sensitive data
and pass something back to the user you already lost.
A text demuxer and decoder makes it easier and it makes it much easier
to demonstrate the attack in a flashy way. But having the probe code
access the sensitive data even if none succeeds already makes quite
a bit of internal state (caches, branch prediction, deallocated memory, ...)
be contaminated with sensitive information. Its hard to ensure that
none of this can be recovered by the attacker.

I think first ffmpeg should not be able to access sensitive data.
Then none of our probe functions should succeed on the average
sensitive text file. If one does, we should look into making it not
detect that.

Also it may seem counter-intuitive but adding a probe function which
is designed to succeed on sensitive text files may be more reliable
to stop their detection than to disable probe functions.
The probe system is basically doing differential probing. That is
the one of 2 that has the higher score wins.
So it may be more effective to add a function that that returns a
high score intentionally for a null demuxer than to try to stop
every function that returns more than 0
if such probe code is added, it also could maybe warn the admin about a
potential misconfiguration that allows probing to reach to sensitive
data.


[...]

2018-05-10 17:44 GMT+02:00, Derek Buitenhuis <derek.buitenhuis@gmail.com>:
> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.
>
> Disable building these by default.
>
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
> ---
> I've been hard disabling these at $dayjob for a long time, after some
> "interesting" upload attempts, but it should probably be done for
> everyone.
>
> I'm not overly attached implementaion details like the option name
> or whether it's done at build time ot runtime, but I think the concept
> of "don't render arbitrary system text files" is an important one.

Disabling demuxers by default does not seem to be a good idea to me.

Carl Eugen

On 2018-05-10 17:44, Derek Buitenhuis wrote:
> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.
> 
> Disable building these by default.
> 
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
> ---
> I've been hard disabling these at $dayjob for a long time, after some
> "interesting" upload attempts, but it should probably be done for
> everyone.
> 
> I'm not overly attached implementaion details like the option name
> or whether it's done at build time ot runtime, but I think the concept
> of "don't render arbitrary system text files" is an important one.
> ---

You web people already have options for the various annoying whitelists.
 Is this not covered by one of them?

On Thu, 10 May 2018 16:44:59 +0100
Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:

> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.
> 
> Disable building these by default.
> 
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
> ---

+1

You should send a patch that disables all those useless game demuxers
too. They only cause security issues and bloated library sizes.

On 5/11/18, wm4 <nfxjfg@googlemail.com> wrote:
> On Thu, 10 May 2018 16:44:59 +0100
> Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
>
>> These demuxers have probes that mainly probe based on file extension,
>> and map to codec IDs that render text as video. The result is that
>> ffmpeg will, by default, happily render, for example, .txt files
>> as images. This is not exactly a good security practice, an only
>> makes it easier for potential attackers to gain the contents of
>> system files.
>>
>> Disable building these by default.
>>
>> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
>> ---
>
> +1
>
> You should send a patch that disables all those useless game demuxers
> too. They only cause security issues and bloated library sizes.

Against.

> Disabling demuxers by default does not seem to be a good idea to me.

So rendering arbitrary text files by default seems like a good idea in
comparsion?

- Derek

> You web people already have options for the various annoying whitelists.
>  Is this not covered by one of them?

As noted in my other reply to Paul, I find it a poor choice to shunt
the responsibility
of good/secure defaults to the user.

As a side note, derisively referring to me as "you web people" isn't
particularily charming.

- Derek

On 5/11/18, Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
>> Disabling demuxers by default does not seem to be a good idea to me.
>
> So rendering arbitrary text files by default seems like a good idea in
> comparsion?

That is useful feature.

> please correct me if iam wrong, theres quite a bit iam guessing here
> IIUC the problem is that in your usecase
> 1. ffmpeg has access to sensitive files
> 2. one of these files can be opened by an attacker with ffmpeg
> 2b. This involves the file being probed as a supported format

It is "probed" as file extension mostly. .txt is one of these
extensions, which 99.999999999999999%
of the time, is not a multimedia file, for example.

> 3. The file is then demuxed, decoded, encoded, muxed
> 4. the result is given back to the attacker
>
> This patchset removes one of the demuxers involved in the attack

Not removed. Disabled. As discussed in other replies, making it manual
also seems
fine to me. Rendering arbitrary text files as images (as in, rendering
the text using
a built in font, to an image with that text in it) isn't exactly a
great and secure default
behavior, especially for the world's most commont text file extension...

> The first problem of this patchset is that it does not provide any
> evidence of how the other demuxers probe functions can trigger on
> random text files.

ffmpeg -i something.txt a.png

But really, it is not necssarily an attack on its own (it could be),
but it makes any
other attack vastly easier to exploit. For example, that HLS stuff
avformat had fixed
last year could have pointed at various .txt files. I don't really
understand why the
concept of "rendering arbitrary text files as images" is not obviously bad?

> for example idf_probe() requires, the first 12 bytes of the file  to
> match exactly and some of these are not text. So a attack which depends
> on the probing of sensitive text data to succeed should not work with it

it is not specifci to probing. It's choosing e.g. the ansi decoder based off the
.txt file extension, for example. Or the bintext decoder based off the
.bin extension.

> The second problem i see is that the patch disables the demuxers, while
> disabling the probe functions affected should have the same effect
> security wise but is a smaller step in respect to disabling.

As noted in my reply to Marton and Gyan, I'm fine with this approach,
as the implications
are the same.

> The third problem i see is that really once you read sensitive data
> and pass something back to the user you already lost.

[...]

> A text demuxer and decoder makes it easier and it makes it much easier
> to demonstrate the attack in a flashy way. But having the probe code
> access the sensitive data even if none succeeds already makes quite
> a bit of internal state (caches, branch prediction, deallocated memory, ...)
> be contaminated with sensitive information. Its hard to ensure that
> none of this can be recovered by the attacker.

Ah the classic "well it can technically be beaten, you may as well make it
as easy as possible" argument that people use to argue against things
like ASLR... :|

The point is to minimize the risk where possible, with good defaults for *all*
users. It's not a great thing to just point at users and go "well you
should have
done a better job containerizing/sandboxing/etc." IMO.

> I think first ffmpeg should not be able to access sensitive data.
> Then none of our probe functions should succeed on the average
> sensitive text file. If one does, we should look into making it not
> detect that.

The succeed because libavformat loves probing based on file extenions.

> Also it may seem counter-intuitive but adding a probe function which
> is designed to succeed on sensitive text files may be more reliable
> to stop their detection than to disable probe functions.

This is just adding more heuristics to probing, though

> The probe system is basically doing differential probing. That is
> the one of 2 that has the higher score wins.
> So it may be more effective to add a function that that returns a
> high score intentionally for a null demuxer than to try to stop
> every function that returns more than 0

Wouldn't this break a lot of currently "working" detection of
bad/broken files that
users seem to rely on? (I don't think they should rely on it, but
that's just my opinion.)

> if such probe code is added, it also could maybe warn the admin about a
> potential misconfiguration that allows probing to reach to sensitive
> data.

[...]

- Derek

On 10 May 2018 at 23:27, Paul B Mahol <onemda@gmail.com> wrote:

> On 5/11/18, wm4 <nfxjfg@googlemail.com> wrote:
> > On Thu, 10 May 2018 16:44:59 +0100
> > Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
> >
> >> These demuxers have probes that mainly probe based on file extension,
> >> and map to codec IDs that render text as video. The result is that
> >> ffmpeg will, by default, happily render, for example, .txt files
> >> as images. This is not exactly a good security practice, an only
> >> makes it easier for potential attackers to gain the contents of
> >> system files.
> >>
> >> Disable building these by default.
> >>
> >> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
> >> ---
> >
> > +1
> >
> > You should send a patch that disables all those useless game demuxers
> > too. They only cause security issues and bloated library sizes.
>
> Against.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

I agree with Paul, game demuxers are useful, don't bloat much and can be
fixed.

On 11 May 2018 at 00:04, Paul B Mahol <onemda@gmail.com> wrote:

> On 5/11/18, Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
> >> Disabling demuxers by default does not seem to be a good idea to me.
> >
> > So rendering arbitrary text files by default seems like a good idea in
> > comparsion?
>
> That is useful feature.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

No, it isn't. Its not useful at all, you have no control over how they're
rendered and they're always rendered using CGA fonts from the 80's. They're
also very easily misprobed.

On 5/11/18, Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
>> please correct me if iam wrong, theres quite a bit iam guessing here
>> IIUC the problem is that in your usecase
>> 1. ffmpeg has access to sensitive files
>> 2. one of these files can be opened by an attacker with ffmpeg
>> 2b. This involves the file being probed as a supported format
>
> It is "probed" as file extension mostly. .txt is one of these
> extensions, which 99.999999999999999%
> of the time, is not a multimedia file, for example.
>
>> 3. The file is then demuxed, decoded, encoded, muxed
>> 4. the result is given back to the attacker
>>
>> This patchset removes one of the demuxers involved in the attack
>
> Not removed. Disabled. As discussed in other replies, making it manual
> also seems
> fine to me. Rendering arbitrary text files as images (as in, rendering
> the text using
> a built in font, to an image with that text in it) isn't exactly a
> great and secure default
> behavior, especially for the world's most commont text file extension...
>
>> The first problem of this patchset is that it does not provide any
>> evidence of how the other demuxers probe functions can trigger on
>> random text files.
>
> ffmpeg -i something.txt a.png
>
> But really, it is not necssarily an attack on its own (it could be),
> but it makes any
> other attack vastly easier to exploit. For example, that HLS stuff
> avformat had fixed
> last year could have pointed at various .txt files. I don't really
> understand why the
> concept of "rendering arbitrary text files as images" is not obviously bad?
>
>> for example idf_probe() requires, the first 12 bytes of the file  to
>> match exactly and some of these are not text. So a attack which depends
>> on the probing of sensitive text data to succeed should not work with it
>
> it is not specifci to probing. It's choosing e.g. the ansi decoder based off
> the
> .txt file extension, for example. Or the bintext decoder based off the
> .bin extension.
>
>> The second problem i see is that the patch disables the demuxers, while
>> disabling the probe functions affected should have the same effect
>> security wise but is a smaller step in respect to disabling.
>
> As noted in my reply to Marton and Gyan, I'm fine with this approach,
> as the implications
> are the same.
>
>> The third problem i see is that really once you read sensitive data
>> and pass something back to the user you already lost.
>
> [...]
>
>> A text demuxer and decoder makes it easier and it makes it much easier
>> to demonstrate the attack in a flashy way. But having the probe code
>> access the sensitive data even if none succeeds already makes quite
>> a bit of internal state (caches, branch prediction, deallocated memory,
>> ...)
>> be contaminated with sensitive information. Its hard to ensure that
>> none of this can be recovered by the attacker.
>
> Ah the classic "well it can technically be beaten, you may as well make it
> as easy as possible" argument that people use to argue against things
> like ASLR... :|
>
> The point is to minimize the risk where possible, with good defaults for
> *all*
> users. It's not a great thing to just point at users and go "well you
> should have
> done a better job containerizing/sandboxing/etc." IMO.
>
>> I think first ffmpeg should not be able to access sensitive data.
>> Then none of our probe functions should succeed on the average
>> sensitive text file. If one does, we should look into making it not
>> detect that.
>
> The succeed because libavformat loves probing based on file extenions.
>
>> Also it may seem counter-intuitive but adding a probe function which
>> is designed to succeed on sensitive text files may be more reliable
>> to stop their detection than to disable probe functions.
>
> This is just adding more heuristics to probing, though
>
>> The probe system is basically doing differential probing. That is
>> the one of 2 that has the higher score wins.
>> So it may be more effective to add a function that that returns a
>> high score intentionally for a null demuxer than to try to stop
>> every function that returns more than 0
>
> Wouldn't this break a lot of currently "working" detection of
> bad/broken files that
> users seem to rely on? (I don't think they should rely on it, but
> that's just my opinion.)
>
>> if such probe code is added, it also could maybe warn the admin about a
>> potential misconfiguration that allows probing to reach to sensitive
>> data.
>
> [...]

If you think you are fixing security issue you are very wrong.

> If you think you are fixing security issue you are very wrong.

You've nailed that "saying what you think" part of communication, but
need to word a little
on the all important "saying why you think that" part. Keep
practicing, you can do it. I
believe in you.

- Derek

On 5/11/18, Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
>> If you think you are fixing security issue you are very wrong.
>
> You've nailed that "saying what you think" part of communication, but
> need to word a little
> on the all important "saying why you think that" part. Keep
> practicing, you can do it. I
> believe in you.

I do not have time to explain security basics.
Get a decent book and read it from a start to an end.

On Fri, 11 May 2018 00:21:37 +0100
Rostislav Pehlivanov <atomnuker@gmail.com> wrote:

> On 10 May 2018 at 23:27, Paul B Mahol <onemda@gmail.com> wrote:
> 
> > On 5/11/18, wm4 <nfxjfg@googlemail.com> wrote:  
> > > On Thu, 10 May 2018 16:44:59 +0100
> > > Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
> > >  
> > >> These demuxers have probes that mainly probe based on file extension,
> > >> and map to codec IDs that render text as video. The result is that
> > >> ffmpeg will, by default, happily render, for example, .txt files
> > >> as images. This is not exactly a good security practice, an only
> > >> makes it easier for potential attackers to gain the contents of
> > >> system files.
> > >>
> > >> Disable building these by default.
> > >>
> > >> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
> > >> ---  
> > >
> > > +1
> > >
> > > You should send a patch that disables all those useless game demuxers
> > > too. They only cause security issues and bloated library sizes.  
> >
> > Against.
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel@ffmpeg.org
> > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >  
> 
> I agree with Paul, game demuxers are useful, don't bloat much and can be
> fixed.

Experience shows that it's always the obscure features which cause
security issues. Regarding the bloat: these small things add up a lot,
and suddenly you have hundreds of demuxers. It's hard to filter them
out manually, and why make each user do that? Many of these game formats
in particular probably have something like under a dozen files in the
universe that exist at all (such as the files included in a particular
game release).

On Fri, May 11, 2018 at 12:35 AM, Paul B Mahol <onemda@gmail.com> wrote:
> I do not have time to explain security basics.
> Get a decent book and read it from a start to an end.

Speaking frankly for a second: Why do people put up with this sort of
crud on this
mailing list?

Insult-laden fact-less response. It's insane. It's like I'm flashing
back to ffmpeg-devel
in 2006.

- Derek

On Fri, May 11, 2018 at 12:41 AM, Derek Buitenhuis
<derek.buitenhuis@gmail.com> wrote:
> Speaking frankly for a second: Why do people put up with this sort of
> crud on this
> mailing list?

Unrelatedly, sorry for the broken linebreaks. Bad MUA...

- Derek

On Fri, 11 May 2018 00:41:20 +0100
Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:

> On Fri, May 11, 2018 at 12:35 AM, Paul B Mahol <onemda@gmail.com> wrote:
> > I do not have time to explain security basics.
> > Get a decent book and read it from a start to an end.  
> 
> Speaking frankly for a second: Why do people put up with this sort of
> crud on this
> mailing list?
> 
> Insult-laden fact-less response. It's insane. It's like I'm flashing
> back to ffmpeg-devel
> in 2006.

Because there are no consequences, no leadership, no conflict
arbitration. It's a joke of a project.

On Fri, May 11, 2018 at 12:36 AM, wm4 <nfxjfg@googlemail.com> wrote:
> Experience shows that it's always the obscure features which cause
> security issues. Regarding the bloat: these small things add up a lot,
> and suddenly you have hundreds of demuxers. It's hard to filter them
> out manually, and why make each user do that? Many of these game formats
> in particular probably have something like under a dozen files in the
> universe that exist at all (such as the files included in a particular
> game release).

I think this is a tangental battle for another day. Not really
related to the patch/RFC at hand.

- Derek

On 2018-05-11 00:57, Derek Buitenhuis wrote:
>> Disabling demuxers by default does not seem to be a good idea to me.
> 
> So rendering arbitrary text files by default seems like a good idea in
> comparsion?

I want to argue some more so here you go: it isn't "by default".

It gets rendered because you asked for it to be rendered.  You asked for
/etc/passwd to be rendered so ffmpeg did that.  It produced a nice 4K
video of the file with all your secrets clearly legible in it.  Why do
you care?  Surely nobody will see it.  Surely you're not going to upload
this file to the public Internet.

I don't care that you do encode any random file that someone uploads to
you.  I don't care that you do put the results on the public net.  I do
care a little that ffmpeg understands playlist files but not in the same
way you do.  I do care a little that ffmpeg does so much magic for you
but not in the same way you do.

I haven't tried to stand in the way of other bad changes to ffmpeg (like
the fact that the flac muxer will now mux video streams) and I won't try
to stand in the way of this one.

On 11 May 2018 at 00:44, wm4 <nfxjfg@googlemail.com> wrote:

> On Fri, 11 May 2018 00:41:20 +0100
> Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
>
> > On Fri, May 11, 2018 at 12:35 AM, Paul B Mahol <onemda@gmail.com> wrote:
> > > I do not have time to explain security basics.
> > > Get a decent book and read it from a start to an end.
> >
> > Speaking frankly for a second: Why do people put up with this sort of
> > crud on this
> > mailing list?
> >
> > Insult-laden fact-less response. It's insane. It's like I'm flashing
> > back to ffmpeg-devel
> > in 2006.
>
> Because there are no consequences


There are consequeces, the consequences being broken design and/or features


no leadership


Just because there are many people determining what happens doesn't mean no
one is leading.


no conflict arbitration.
>

There is conflict arbitration, we're doing it right now in fact.

On Fri, 11 May 2018 00:53:16 +0100
Rostislav Pehlivanov <atomnuker@gmail.com> wrote:

> On 11 May 2018 at 00:44, wm4 <nfxjfg@googlemail.com> wrote:
> 
> > On Fri, 11 May 2018 00:41:20 +0100
> > Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
> >  
> > > On Fri, May 11, 2018 at 12:35 AM, Paul B Mahol <onemda@gmail.com> wrote:  
> > > > I do not have time to explain security basics.
> > > > Get a decent book and read it from a start to an end.  
> > >
> > > Speaking frankly for a second: Why do people put up with this sort of
> > > crud on this
> > > mailing list?
> > >
> > > Insult-laden fact-less response. It's insane. It's like I'm flashing
> > > back to ffmpeg-devel
> > > in 2006.  
> >
> > Because there are no consequences  
> 
> 
> There are consequeces, the consequences being broken design and/or features
> 
> 
> no leadership
> 
> 
> Just because there are many people determining what happens doesn't mean no
> one is leading.
> 
> 
> no conflict arbitration.
> >  
> 
> There is conflict arbitration, we're doing it right now in fact.

Yeah, we can just flame each other as hard as we can every time, until
someone gives up out of boredom or disgust. This is why ffmpeg is one
of the worst open source projects around.

On Fri, May 11, 2018 at 12:49 AM, James Darnley <james.darnley@gmail.com> wrote:
> I want to argue some more so here you go: it isn't "by default".

Strange definition of default, but OK.

> It gets rendered because you asked for it to be rendered.  You asked for
> /etc/passwd to be rendered so ffmpeg did that.  It produced a nice 4K
> video of the file with all your secrets clearly legible in it.  Why do
> you care?  Surely nobody will see it.  Surely you're not going to upload
> this file to the public Internet.

I think you might lack some imagination on how people use the API,
nd how people use the FFmpeg cli. This for example, pre-HLS CVE patches,
let someone upload a m3u8 that pointed to e.g. /something/password.txt
and have it rendered. It's not a all-or-nothing sort of thing.

> I don't care that you do encode any random file that someone uploads to
> you.  I don't care that you do put the results on the public net.  I do
> care a little that ffmpeg understands playlist files but not in the same
> way you do.  I do care a little that ffmpeg does so much magic for you
> but not in the same way you do.

So basically you don't care at all about making ffmpeg less exploitable by
various users. Great.

Gotta say, this is one mighty poor attitude towards security. But OK.

> I haven't tried to stand in the way of other bad changes to ffmpeg (like
> the fact that the flac muxer will now mux video streams) and I won't try
> to stand in the way of this one.

Fine. Patch dropped. Have a good day/night. I don't have the mental
energy to deal with this endless infighting, feces-flinging, and insane
approach to safety/sanity. I'm not going to spend my spare time
smashing my head against a wall and being insulted.

This will be my last response in the thread.

- Derek

On Fri, 11 May 2018 01:49:58 +0200
James Darnley <james.darnley@gmail.com> wrote:

> ...

Security in ffmpeg sure is weird. On one hand we get all kinds of crazy
stuff that's supposed to mitigate... something (like whitelists), on
the other hand we get this.

> I haven't tried to stand in the way of other bad changes to ffmpeg (like
> the fact that the flac muxer will now mux video streams) and I won't try
> to stand in the way of this one.

That sounds insane, but it's probably about cover art. Only ffmpeg is
insane enough to treat cover art as single-frame video stream. (And
as an API user I've really tried hard to make this work, but it remains
a painful special case.)

So, not sure why you claim it's a "bad change" to add support for that
in the flac muxer. It merely follows the ffmpeg API.

Anyway, I guess D. B. is right and this thread is a fucking waste of
time, so goodbye.

On Fri, May 11, 2018 at 12:14:47AM +0100, Derek Buitenhuis wrote:
> > please correct me if iam wrong, theres quite a bit iam guessing here
> > IIUC the problem is that in your usecase
> > 1. ffmpeg has access to sensitive files
> > 2. one of these files can be opened by an attacker with ffmpeg
> > 2b. This involves the file being probed as a supported format
> 
> It is "probed" as file extension mostly. .txt is one of these
> extensions, which 99.999999999999999%
> of the time, is not a multimedia file, for example.
> 
> > 3. The file is then demuxed, decoded, encoded, muxed
> > 4. the result is given back to the attacker
> >
> > This patchset removes one of the demuxers involved in the attack
> 
> Not removed. Disabled. As discussed in other replies, making it manual
> also seems
> fine to me. Rendering arbitrary text files as images (as in, rendering
> the text using
> a built in font, to an image with that text in it) isn't exactly a
> great and secure default
> behavior, especially for the world's most commont text file extension...

Do you think a document converter should by default not allow to open
multimedia files and embed them into documents ?
(not saying i think it should or should not)

What you suggest is similar, a multimedia converter by default
(not) supporting reading documents.

You later in the mail compare this to ASLR, i dont think this is at
the same level. ASLR provides broad protection, disabling
the .txt/.bin demuxers (which btw does not prevent other demuxers to open
.txt/.bin files) does not seem to be a comparable feature.

Of course every time you disable a feature the attack surface decreases,
in that sense it makes sense to disable all unneeded features whenever
security matters.
Iam not sure we know what is "unneeded" to the end user.

also where are security relevant *.txt files ? i looked at my /etc
and there where none.


> 
> > The first problem of this patchset is that it does not provide any
> > evidence of how the other demuxers probe functions can trigger on
> > random text files.
> 
> ffmpeg -i something.txt a.png
> 
> But really, it is not necssarily an attack on its own (it could be),
> but it makes any
> other attack vastly easier to exploit. For example, that HLS stuff
> avformat had fixed
> last year could have pointed at various .txt files. I don't really
> understand why the
> concept of "rendering arbitrary text files as images" is not obviously bad?

as long as we support rawvideo input by default, disabling text input does
not gain much security. rawvideo is multimedia, noone suggested to disable
it.
The probing / extension based detection, yes changes there should be able
to gain some security and we should possibly tighten this down where theres
an agreement.

as i was curious i looked at my /etc/ and /etc/*/ and from
3580 files there are 929 matches for 'Probing .* score:'

      1 mpeg
      3 svg_pipe
      9 png_pipe
     10 bin
     12 image2
     25 mpegts
     39 lrc
    830 mp3
    
and for 'probed with size|detected only with low score of'

      3 svg_pipe
      9 png_pipe
     24 mpegts
     29 lrc
    161 mp3
    
from the stuff above, the svg and png are correct detected
  

From this it appears to me that file extension while its an issue is not
the only and based on this, not the biggest

[...]