Open a sketchy video file in VLC, stream it using Jellyfin or Kodi, or don’t even open it at all – simply storing it can get you compromised when the Linux file manager generates a thumbnail.
I suppose someone's dvr can be compromised if they add a malicious mpeg that uses MagicYUV. Maybe quick fix is to just disable MagicYUV until you can test the new ffmpeg.
MagicYUV is not enabled in our ffmpeg builds.
it seems to be on mine...
dvr1$ cd ~channels
dvr1$ ls
2026.04.03.1854 2026.04.29.0232 2026.05.12.0935 2026.05.18.1824 2026.06.05.0615 2026.06.20.0022 data etc install.sh latest uninstall.sh
dvr1$ cd latest
dvr1$ ls
channels-dvr comskip ffmpeg ffmpeg-dl ffprobe linux-x86_64.sha256 prerelease version
dvr1$ ./ffmpeg -codecs | grep -i magic
..VI.S magicyuv MagicYUV video
.. although
dvr1$ ffmpeg -decoders | grep -i magicyuv
dvr1$
not sure what it means to show up as codec but not decoder. i assume it means you're right it's not enabled
i actually checked with -codecs before making this post and didnt consider -decoders.