The dependency ffmpeg 4.3 has critical CVEs

[blzheng]

🐛 Bug

In https://anaconda.org/pytorch/repo, the version of the dependency ffmpeg is 4.3, but ffmpeg 4.3 has several critical CVEs listed below. All those issues are related to buffer overflow with may cause unexpected application behavior.

CVE-2021-33815
CVE-2021-30123
CVE-2020-14212
CVE-2020-35965
CVE-2020-35964

BTW, ffmpeg 4.4 provides the most fixes. And I didn't find any strict restrictions on the version of ffmpeg in the source code. Could you update the ffmpeg from v4.3 to v4.4?

cc @ezyang @gchanan @zou3519 @bdhirsh @jbschlosser @anjali411 @fmassa @vfdev-5 @pmeier

[pmeier]

Cc @andfoy @bjuncek

[andfoy]

Ffmpeg 4.3 cannot be used due to some major bugs. FFmpeg 4.4 has been already out during some months now, however it is not clear if we should package that version

[bjuncek]

Should I test the new FFMPEG and plan for migration to it?
We've fixed incompatibilities with the deprecated API, and (providing no bugs) FBSync would be the biggest blocker. Any thoughts on this @fmassa @prabhat00155 ?

[bjuncek]

also note that conda's ffmpeg-feedstock is still at 4.3.1 by default

[bjuncek]

FFMPEG in conda-forge has been updated, and we've finished the migration (#5644 ) so I'm closing this