Hacker News

10 points by redbell 51 minutes ago | 3 comments

>The reach of this bug is what makes it serious. Any deployment that points FFmpeg at an attacker-influenced RTSP URL is exposed: media ingest pipelines fetching user-supplied stream URLs, surveillance and CCTV systems pulling RTSP feeds, and transcoding services processing remote AV1-over-RTP sources

Wow this is actually pretty serious - I'm even surprised its being published. There are several services where I can imagine this is exploitable today.

huflungdung 2 minutes ago

[dead]

bethekidyouwant 14 minutes ago

How does the browser use it ?unless they mean there’s a zero day in libavcodec

fpoling 6 minutes ago

Browsers run it in a sandbox process together with allocator hardening. Most of the bugs then are just crashed of the sandbox

Another option is WASM or WASM-style sandboxes if using another process is undesirable.