268786 – multimedia/ffmpeg add option to disable network

Bug 268786 - multimedia/ffmpeg add option to disable network

Summary: multimedia/ffmpeg add option to disable network

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Thomas Zander

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-01-06 15:01 UTC by Alexander Ushakov
Modified:	2023-01-15 22:15 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	riggs: maintainer-feedback+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Ushakov 2023-01-06 15:01:27 UTC

FFmpeg has been many times reported with different vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-3611/Ffmpeg.html
Most part of them explores vulnerabilities in network protocols and requests.

FFmpeg has configure option --disable-network which completely disables network support. It will increase security of system if there will be option to disable network in ffmpeg port by adding this option to build configuration.

Comment 1 Thomas Zander freebsd_committer

2023-01-06 17:04:30 UTC

Will take a look

Comment 2 Daniel Engberg freebsd_committer

2023-01-06 17:39:15 UTC

Not sure what the actual benefit is since most systems are either connected or offline? If it's a connected system you have more attack vectors than ffmpeg which rarely is accessible by external users.

Comment 3 Alexander Ushakov 2023-01-07 10:48:09 UTC

(In reply to Daniel Engberg from comment #2)
Typical case is when ffmpeg is used for processing local or uploaded files. In this case there is no need in network connection to remote servers from ffmpeg and network can be disabled.
My concerns appeared after I've read https://news.ycombinator.com/item?id=10893301 - special mp4 file allowed to send local files away. If network had been disabled this attack cannot be placed even with vulnerable ffmpeg version.

Comment 4 commit-hook freebsd_committer

2023-01-08 16:23:53 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8855990a698ea489ad155282471df4ce864b8fad

commit 8855990a698ea489ad155282471df4ce864b8fad
Author:     Thomas Zander <riggs@FreeBSD.org>
AuthorDate: 2023-01-08 16:07:43 +0000
Commit:     Thomas Zander <riggs@FreeBSD.org>
CommitDate: 2023-01-08 16:23:22 +0000

    multimedia/ffmpeg: Add NETWORK DEFAULT OPTION

    Details:
    Disabling the NETWORK OPTION (DEFAULT) allows users to compile ffmpeg
    without networking code in libavcodec.

    PR:             268786
    Reported by:    Alexander Ushakov <alexander@polyvizor.com>
    MFH:            2023Q1

 multimedia/ffmpeg/Makefile | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

Comment 5 commit-hook freebsd_committer

2023-01-08 23:39:15 UTC

A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=bbc10a27f343b1a3cd34139498cfca70ac43580a

commit bbc10a27f343b1a3cd34139498cfca70ac43580a
Author:     Thomas Zander <riggs@FreeBSD.org>
AuthorDate: 2023-01-08 16:07:43 +0000
Commit:     Thomas Zander <riggs@FreeBSD.org>
CommitDate: 2023-01-08 23:38:29 +0000

    multimedia/ffmpeg: Add NETWORK DEFAULT OPTION

    Details:
    Disabling the NETWORK OPTION (DEFAULT) allows users to compile ffmpeg
    without networking code in libavcodec.

    PR:             268786
    Reported by:    Alexander Ushakov <alexander@polyvizor.com>
    MFH:            2023Q1

    (cherry picked from commit 8855990a698ea489ad155282471df4ce864b8fad)

 multimedia/ffmpeg/Makefile | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)