the dream is over
http://news.softpedia.com/news/zero-day-ffmpeg-vulnerability-lets-anyone-steal-files-from-remote-machines-498880.shtml
>>52426080
>We've been informed earlier today, January 13, 2016, that Arch Linux developers have already patched the FFmpeg 2.8.4 packages in the operating system by rebuilding them without the AppleHTTP and HLS demuxers.
feels good to be secure desu senpai
QUALITY GPL SOFTWARE
ffs if hackers couldn't read the source code this would never have happened.
open source = open to attack
I think I'll stick with my secure commercial OS with regular security updates
>>52426330
It's good that people can openly audit the source code and discover vulnerabilities. This whole process makes sure problems get found and fixed, which improves the quality of the software.
Security through obscurity is not the answer.
>>52426177
Band-aid fix. Enjoy no HLS.
Windows 10 Media Player is secure btw.
is nothing sacred anymore?
No flaw in Apple iTunes either
>>52426390
>Band-aid fix. Enjoy no HLS.
So? If this functionality is not important to you, you can go ahead and implement that patch while you wait for a proper fix to come from the ffmpeg developers.
Why are people on /g/ so aggressively stupid?
webms are affected?
>>52426390
>Windows 10 Media Player is secure
?
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-1032/Microsoft-Windows-Media-Player.html
>>52426364
This is a fundamentally good argument, but so is
>closed source - closed access: no way to find out there's not a virus, rootkit or backdoor
>>52426080
>ffmpeg
What is it? 2008?
Use avconv ffs
>>52426468
>Libav
Even Debian doesn't use that shit anymore
>>52426441
do you have remote management enabled?
you're fucked, your rare webms are gonna get stolen by nignogs
>>52426461
with how complex code is you wouldnt be able to find one even if it existed
So this means fuck all to people without remote capabilities enabled?
Am I affected if I stream videos with mpv using youtube-dl?
>>52426712
>Am I affected if I stream videos with mpv using youtube-dl?
Good question. I'm rebuilding FFmpeg and mpv just incase.
I blame Daiz
>>52426597
If you have it turned off shit won't happen.
check out my robot video guys
http://ftp.dlink.ru/pub/vpn/robot.mpg
very funny
free software strikes again!
It's existed for years on the dark web. When will you Linux fags learn?
>>52426365
Yet that is the only reason Linux and is x have security.
>implying the end user won't just enter their password anytime a piece of software asks them for it.
doesn't foobar2000 use ffmpeg?
Why does your ffmpeg even have network support enabled?
>>52426974
To read network streams
>>52426974
Because ffmpeg can decode and encode streams off of the internet
>>52426974
The feature is there, someone will use it, so we will enable it, right?
This is why you actually use Gentoo.
>>52426974
>Why does your ffmpeg even have network support enabled?
Why does emacs have a mail client? Or tetris?
>>52427134
>>52426080
So...should I limit all Internet use to a virtual machine that has limited shared file access with the host machine?
Vulnerabilities like this make me think that it would be the smart move. I realize there has been malware designed to detect and escape a VM, but that's a lot harder and therefore more rare.
If someone exploits a browser or media library they can read files or control execution on a machine with...no actual personal files. If I discover the exploit I can trash the VN and copy over a fresh one.
Why aren't we doing this?
>>52427148
because people are lazy
>>52427148
>Why aren't we doing this?
It's extremely inconvenient to have a vm that has no/limited file access to the host. How are you going to save some of your work or any other files? Manually? By accessing the crazy, unreadable structure of a virtual drive file? Or Send them over mail?
>>52427148
This is actually a pretty good idea. The only application people use for the internet anyway is the browser, right? Well that and system updates. Just use a VM for the web browser, and any files you download just use scp to move them to your machine.
>>52427301
>internet anyway is the browser, right?
Wrong.
>>52427301
and hopefully reduce the attack surface by not using vm extenders such as vmware tools which can be exploited
>>52427197
>It's extremely inconvenient to have a vm that has no/limited file access to the host.
>How are you going to save some of your work or any other files? Manually?
I imagine you could share one folder. I don't think malware could access host files outside that folder without detecting and compromising the VM itself (could be wrong???).
Some sites I would access on the host (i.e. banking; work). But must of the retarded shit we do on the Internet doesn't involve saving files except for meme and porn folders. Do I really need file access to watch a cat video sent by a friend which may be compromised with some zero day control the browser and then the OS shit?
The more I think about this the more I like it.
>>52427420
>>internet anyway is the browser, right?
>Wrong.
It's by far the largest surface for attack.
>>52427481
when VMs started getting popular I thought that one day OSes like Windows would evolve to run all applications in their own VM exactly for this reason, but forward-thinking from-the-ground-up stuff like iOS seems to be using a variant of FreeBSD jails.
>>52426461
>This is a fundamentally good argument
Actually it's not.
>>52426364
>I think I'll stick with my secure commercial OS with regular security updates
if it's "secure" as you say, why does it need security updates?
So, how do I prevent this from happening?
>>52428569
turn off all remote connections and management
>>52428569
Do not use a computer. I mean, security holes won't stop from happening but it will be 100% guaranteed that they will not affect you.
windows wins again. security through obscurity is the best protection
>>52426177
>AppleHTTP
>>52428588
Actually it's more that package managers lose again.
When it comes down to it, the only real advantage package managers have is that they're good for deduplicating dynamic libraries.
Take a vulnerability like this and you turn the whole thing on its head--package managers suddenly useless because every package that relies on the vulnerable package is suddenly a vector.
Whereas Windows is rife with static embedded libraries, and vulnerabilities are generally reduced to individual problem applications.
>>52427134
That's like asking why Python has libraries for handling mail or making video games.
Emacs is an Emacs Lisp interpreter that ships with a bunch of useful default scripts. Emacs has a mail client because there's a useful mail client Emacs Lisp program included in the default bundle.
On the other hand, ffmpeg is not a general programming language interpreter.
>>52428660
>every package that relies on the vulnerable package is suddenly a vector.
And all you have to do is update that one package and you've fixed the vulnerabilities in all of them.
Whereas in Windows you have to manually recompile or update every single fucking program that uses that library. Good luck tracking down which programs use d3dxpak74.dll, which version, whether they have the vulnerability, updating them, and hoping that the updated library actually works with the programs in question.
>>52427148
People call me tinfoil, but I spend most of my time in vm with linux. I have turned off:
shared folders
easy copy and paste
clipboard (between host and vm)
My main vm has 40gb on ssd. I do not turn it off, just suspend.
I have other vm for not secure shit where there is a snapshot revert after turn off.
>>52426974
youtube-dl
>>52428827
youtube-dl isn't vulnerable or even a part of ffmpeg itself. This is talking about some AppleHTTP and HLS bullshit.
>>52426080
>zero-day-ffmpeg-vulnerability
is cccp affected?
>>52427148
yah fuck this shit I'm gonna redo my setup during this weekend
fucking tired of all these motherfucking exploits
tfw thought about doing this could years ago when I read about 0days but thought it's too paranoid
>>52428785
just suspend? I've found the system runs a bit slower when I always suspend and never reboot
>>52428849
so I'm cool when I rip vids off of streaming sites? not youtube
>>52428934
technically, you're not cool, you're warm.
>>52428898
Yeah I had this problem few years ago on hd 5600, virtualbox and ubuntu, but I think it somekind of fuck up code by virtualbox devs.
Now I am using ssd + vmware + I have 13 months old vm and everything runs smooth.
>>52426080
https://www.youtube.com/watch?v=XOOLNPLikoA
>>52428898
I'm with you. I have two VMs already on my MBP for working with Windows tools and code. I think I'm going to isolate all browsing to a 3rd VM with Linux or maybe a virtualized copy of El Cap.
>>52426080
>the dream is over
We're flat stone cold lied to
>>52426080echo media-video/ffmpeg -network > /etc/portage/package.use/ffmpeg
Seriously, who the FUCK streams with ffmpeg?
>>52433015
>he doesn't stream using ffmpeg
Pleb desu
