Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The timeline here is pretty long, and Google will provide an extension if you ask.

What do you believe would be an appropriate timeline?

>especially if you consider other security notices that may have a bigger impact.

This is a bug in the default config that is likely to result in RCE, it doesn’t get that much worse than this.



> This is a bug in the default config that is likely to result in RCE, it doesn’t get that much worse than this.

Likely to get RCE? No. Not every UAF results in a RCE. Also, someone would have to find this and it's clearly not something you can easily spot from the code. Google did extensive fuzzing to discover it. The trade off is that Ffmpeg had to divert resources to fix this, when the chance it would have been discovered independently is tiny, and exploited even tinier.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: