Bug 268786

Summary: multimedia/ffmpeg add option to disable network
Product: Ports & Packages Reporter: Alexander Ushakov <alexander>
Component: Individual Port(s)Assignee: Thomas Zander <riggs>
Status: Closed FIXED    
Severity: Affects Some People CC: diizzy, riggs
Priority: --- Flags: riggs: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   

Description Alexander Ushakov 2023-01-06 15:01:27 UTC 
FFmpeg has been many times reported with different vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-3611/Ffmpeg.html
Most part of them explores vulnerabilities in network protocols and requests.

FFmpeg has configure option --disable-network which completely disables network support. It will increase security of system if there will be option to disable network in ffmpeg port by adding this option to build configuration.
Comment 1 Thomas Zander freebsd_committer freebsd_triage 2023-01-06 17:04:30 UTC 
Will take a look
Comment 2 Daniel Engberg freebsd_committer freebsd_triage 2023-01-06 17:39:15 UTC 
Not sure what the actual benefit is since most systems are either connected or offline? If it's a connected system you have more attack vectors than ffmpeg which rarely is accessible by external users.
Comment 3 Alexander Ushakov 2023-01-07 10:48:09 UTC 
(In reply to Daniel Engberg from comment #2)
Typical case is when ffmpeg is used for processing local or uploaded files. In this case there is no need in network connection to remote servers from ffmpeg and network can be disabled.
My concerns appeared after I've read https://news.ycombinator.com/item?id=10893301 - special mp4 file allowed to send local files away. If network had been disabled this attack cannot be placed even with vulnerable ffmpeg version.
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-01-08 16:23:53 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8855990a698ea489ad155282471df4ce864b8fad

commit 8855990a698ea489ad155282471df4ce864b8fad
Author:     Thomas Zander <riggs@FreeBSD.org>
AuthorDate: 2023-01-08 16:07:43 +0000
Commit:     Thomas Zander <riggs@FreeBSD.org>
CommitDate: 2023-01-08 16:23:22 +0000

    multimedia/ffmpeg: Add NETWORK DEFAULT OPTION

    Details:
    Disabling the NETWORK OPTION (DEFAULT) allows users to compile ffmpeg
    without networking code in libavcodec.

    PR:             268786
    Reported by:    Alexander Ushakov <alexander@polyvizor.com>
    MFH:            2023Q1

 multimedia/ffmpeg/Makefile | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2023-01-08 23:39:15 UTC 
A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=bbc10a27f343b1a3cd34139498cfca70ac43580a

commit bbc10a27f343b1a3cd34139498cfca70ac43580a
Author:     Thomas Zander <riggs@FreeBSD.org>
AuthorDate: 2023-01-08 16:07:43 +0000
Commit:     Thomas Zander <riggs@FreeBSD.org>
CommitDate: 2023-01-08 23:38:29 +0000

    multimedia/ffmpeg: Add NETWORK DEFAULT OPTION

    Details:
    Disabling the NETWORK OPTION (DEFAULT) allows users to compile ffmpeg
    without networking code in libavcodec.

    PR:             268786
    Reported by:    Alexander Ushakov <alexander@polyvizor.com>
    MFH:            2023Q1

    (cherry picked from commit 8855990a698ea489ad155282471df4ce864b8fad)

 multimedia/ffmpeg/Makefile | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)