Bug#729203: Recommendation to use FFMPEG for security reasons
Here is an advisory from security researchers who recommend to use
FFMPEG instead of Libav [1]
"The other ~350 commits in FFmpeg were mostly submitted by Libav
project developers: Ronald S. Bultje, Luca Barbato, Alex Converse,
Martin Storsjö and Anton Khirnov. We have been concurrently reporting
issues in Libav during the last several months and similarly to
FFmpeg, the maintainers are doing a great job writing and submitting
patches, which FFmpeg is also cherry-picking to their own git
repository (large chunks of the two projects are shared, as Libav
started as a fork of FFmpeg). While the former project is doing their
best to catch up with the latter, the figures speak for themselves
again: there are “only” 413 commits tagged “Jurczyk” or “Coldwind” in
Libav, so even though some of the FFmpeg bugs might not apply to
Libav, there are still many unresolved issues there which are already
fixed in FFmpeg. Consequently, we advise users to use the FFmpeg
upstream code where possible, or the latest stable version (currently
2.1.1) otherwise. It is also a good idea to carefully consider which
formats and codecs are necessary for your use case and disable all
other parsers during compilation time, in order to reduce the attack
surface to a minimum."
The security team found over 1120 bugs (which were now fixed in FFMPEG
but not all in libav)
[1] http://j00ru.vexillium.org/?p=2211
Reply to: