Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 10 Sep 2016 16:26:26 -0400 (EDT)
From: cve-assign@...re.org
To: ago@...too.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: libav: out-of-bounds stack read

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://blogs.gentoo.org/ago/2016/08/20/libav-stack-based-buffer-overflow-in-aac_sync-aac_parser-c/

>> libav: stack-based buffer overflow in aac_sync (aac_parser.c)

>> The ASan report may be confused because it mentions get_bits, but the issue is in aac_sync.

>> AddressSanitizer: stack-buffer-overflow
>> READ of size 4

>> https://git.libav.org/?p=libav.git;a=commit;h=fb1473080223a634b8ac2cca48a632d037a0a69d

>> aac_parser: add required padding for GetBitContext buffer

>> libavcodec/aac_parser.c

Use CVE-2016-7393 for this buffer over-read issue.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX1GwHAAoJEHb/MwWLVhi2uWkQAJkvHeVw5VLDmUS2J/yTGh5g
+GZPqtoYlIY9rkV164NnkAI7Sd+Zu187c4LRwCsPz9QfrV/Uaar48VszuuQMuUgB
omLJG623GRRx/bt2DzIbTmFhI3NEjwATgi29CAd3LmvcMliJUlNib2d40ueQ910c
7Fj3foeYOmodKgOhT0BMR5Gqx82EmItTKxjPyPaBcrkA23fnabcv1JmDlqhpNldz
IQByGqnnuFD4mTg5rLnEUE4lErGKBenrj8VjVjL63u+Wf+aBLXo3HMemY+c5zF4P
rU9AGOIfMPjbiWXAkFZEACO7fY/BQV6qZEeJoRJB2Q1FCMC24amt9ATsopgEk6ik
2+G1KY1BB0RBJnRsuvnhx87XB4aQ2Er/qEonCLFX4fJCqN4voFLHOiNYPa4CxPEY
jXI75or7n3zUldlXeXdMnuK5dkz9Pxbz4iyIEzQJIlucSOXsRDaVwf/nABKVm07W
AsAxcOLYJNqh9djM0gxqO4jGaD6keasr55iU4rRd5tb7APhAlt//Ju+1Um6iPQ0U
CntH7QgVQgGDOQ6HI0R6llDZZzgQ6gw6wP7W/aZt8Xcc/6V+YK7E/46xFjTgwPtC
7cn/Qp4MHupIyRMZsLcb8Y+ohx4sdmVvBT4N73U/RCcDuBKjE8E1HUS85Eal0C+w
Xu6+BEm9Zwypmubgek8H
=JK5t
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ