The dependency ffmpeg 4.3 has critical CVEs #4191
Labels
Comments
|
Ffmpeg 4.3 cannot be used due to some major bugs. FFmpeg 4.4 has been already out during some months now, however it is not clear if we should package that version |
|
Should I test the new FFMPEG and plan for migration to it? |
|
also note that conda's |
|
FFMPEG in conda-forge has been updated, and we've finished the migration (#5644 ) so I'm closing this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🐛 Bug
In https://anaconda.org/pytorch/repo, the version of the dependency ffmpeg is 4.3, but ffmpeg 4.3 has several critical CVEs listed below. All those issues are related to buffer overflow with may cause unexpected application behavior.
CVE-2021-33815
CVE-2021-30123
CVE-2020-14212
CVE-2020-35965
CVE-2020-35964
BTW, ffmpeg 4.4 provides the most fixes. And I didn't find any strict restrictions on the version of ffmpeg in the source code. Could you update the ffmpeg from v4.3 to v4.4?
cc @ezyang @gchanan @zou3519 @bdhirsh @jbschlosser @anjali411 @fmassa @vfdev-5 @pmeier
The text was updated successfully, but these errors were encountered: