Announcement

Collapse
No announcement yet.

Fedora Linux Can Finally Offer AAC Audio Codec Support

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #11
    Originally posted by uid313 View Post
    I am scared of websites having <video src="evil.aac">, <video src="evil.mp4"> and it try a list of dozens different codecs and formats that might be installed on the system with payloads generated through fuzzing.
    It is scary. It sounds like a huge security hole. A simple HTML page or forum post might be enough to hack every Linux user that visits.
    If you are truly scared you should do more than just running in circles screaming (what your posts mentioning this amount to, if we were in real life and not in cyberspace).

    As for the security issue I'm not terribly worried. Linux is not a target, too little userbase to justify setting up some scheme like this. Linux malware almost always targets servers, not clients.
    • Likes 2

    Comment

    • #12
      Originally posted by uid313 View Post
      I am scared of websites having <video src="evil.aac">, <video src="evil.mp4"> and it try a list of dozens different codecs and formats that might be installed on the system with payloads generated through fuzzing.
      It is scary. It sounds like a huge security hole. A simple HTML page or forum post might be enough to hack every Linux user that visits.
      Linux browsers basically all use ffmpeg, either directly (Firefox, Chrome/Chromium) or indirectly via gstreamer (webkitgtk). And ffmpeg receives a looooooot of fuzz testing, particularly by Google (people upload all sorts of stuff to Youtube, Google wants to handle all that safely and correctly), so it's quite safe. Nothing is ever fully safe, but ffmpeg is in good shape here due to all the fuzz testing.

      However, browsers tend to use ffmpeg only for decoding, while multimedia files need to be parsed and demuxed before the individual streams can be decoded. ffmpeg can do parsing/demuxing too, but browsers typically have their own parser code. But what I'm about to say here should make you extremely happy - Firefox's mp4 parser is written in... wait for it... rust. So there.
      • Likes 9

      Comment

      • #13
        Originally posted by uid313 View Post

        I am scared of websites having <video src="evil.aac">, <video src="evil.mp4"> and it try a list of dozens different codecs and formats that might be installed on the system with payloads generated through fuzzing.
        It is scary. It sounds like a huge security hole. A simple HTML page or forum post might be enough to hack every Linux user that visits.
        Easy workaround: Don't autoplay any media from websites! If you're really scared, block images too :-)
        • Likes 9

        Comment

        • #14
          Lynx is a perfectly capable web browser...
          • Likes 2

          Comment

          • #15
            Originally posted by uid313 View Post

            But then each application has to be responsible for implementing that, or the user who runs the application.
            It would be better if the parsers and decoders were designed to be inherently safe.
            Then get coding, instead of complaining on forums that people aren't devoting all their own time to satisfying your demands.
            • Likes 5

            Comment

            • #16
              Originally posted by uid313 View Post
              But is it safe to let a decoder written in C decode any file you throw at it?
              Shouldn't the decoder be written in Rust?
              The linux kernel is written in C. Go bother people using the rust based os. Rust isn’t perfect. It’s just designed the way people think programming should work now.
              • Likes 5

              Comment

              • #17
                Originally posted by droste View Post

                Easy workaround: Don't autoplay any media from websites! If you're really scared, block images too :-)
                That's not so easy. That is what browsers do. Especially if given the autoplay attribute.
                <video src="foo.mp4" autoplay />

                Comment

                • #18
                  Originally posted by uid313 View Post
                  That's not so easy. That is what browsers do. Especially if given the autoplay attribute.
                  <video src="foo.mp4" autoplay />
                  Introducing something new and completely unheard of: advanced browser settings of Firefox!
                  How can I disable auto-play for video content? | Firefox Support Forum | Mozilla Support
                  https://support.mozilla.org/en-US/questions/1150702

                  And of course NoScript addon, that keeps them locked down by default, among other things.

                  And for the dumb users using dumb browsers like Chrome, there are extensions installable with a couple clicks!
                  Error 404 (Not Found)!!1
                  https://chrome.google.com/webstore/detail/video-autoplay-blocker-by/khhablkjeghmeinlfgecddpgcopnljpm
                  • Likes 5

                  Comment

                  • #19
                    Originally posted by DanL View Post
                    Is Fedora's ffmpeg package going to be built to use it or is it strictly a gstreamer plugin at this point?
                    Fedora doesn't have an official ffmpeg package (well technically Chromium has a stripped down bundle of it).
                    • Likes 1

                    Comment

                    • #20
                      Thanks for clearing that up. I thought that if Debian would distribute ffmpeg, then Fedora would.

                      Comment

                      Previous 1 2 3 template Next
                      Working...
                      X