themachinestops@lemmy.dbzer0.com to Technology@lemmy.worldEnglish · 11 hours agoAI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugsthehackernews.comexternal-linkmessage-square27linkfedilinkarrow-up193arrow-down116
arrow-up177arrow-down1external-linkAI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugsthehackernews.comthemachinestops@lemmy.dbzer0.com to Technology@lemmy.worldEnglish · 11 hours agomessage-square27linkfedilink
minus-squaregreyscaleAlinkfedilinkEnglisharrow-up9arrow-down4·10 hours agoDoes nobody isolate ffmpeg and friends from their application? I can’t imagine you’d have much fun breaking into a container that terminates the moment the original ffmpeg stops, or over-runs its max execution time…
minus-squareVibeSurgeon@piefed.sociallinkfedilinkEnglisharrow-up1·2 hours agoSure, you’d need a second exploit to escalate from there. ffmpeg is expected to run for extended periods of time, given its use in transcoding.
minus-square[object Object]@lemmy.calinkfedilinkEnglisharrow-up21arrow-down1·9 hours agoContainer escapes do exist, and they have shared kernel with the host
minus-squarePasserby6497@lemmy.worldlinkfedilinkEnglisharrow-up5·8 hours agoIf you’re running rootless containers, it’s less of a concern. I’m trying to move all of my public containers to podman for this reason
Does nobody isolate ffmpeg and friends from their application?
I can’t imagine you’d have much fun breaking into a container that terminates the moment the original ffmpeg stops, or over-runs its max execution time…
Sure, you’d need a second exploit to escalate from there.
ffmpeg is expected to run for extended periods of time, given its use in transcoding.
Container escapes do exist, and they have shared kernel with the host
If you’re running rootless containers, it’s less of a concern. I’m trying to move all of my public containers to podman for this reason