Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Nov 2016 11:59:32 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: gstreamer plugins

Hi,


On Fri, 18 Nov 2016 17:31:19 +0100
Marcus Meissner <meissner@...e.de> wrote:

> 1. Bufferoverflow in VMNC decoder in gstreamer plugins:
> 	https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html

I wanted to point out that while it's good the buffer overflow gets
fixed, that's by far not the major issue here.

This is a very problematic design decision with the functionality of
tracker/GNOME that exposes all files on a system to who knows how many
decoders of probably overall very low quality.
Almost certainly there are countless other vulnerabilities of similar
kind in all kinds of gstreamer codecs. (and I haven't checked, but I
assume tracker also exposes other files to other equally problematic
decoders)

I think this is kinda a symptom of two goals clashing: We have projects
like gstreamer that attempt to parse every file format ever seen in
their are - which of course has some value, especially in terms of
preserving digital culture. But on the other hand exposing this code to
untrusted inputs is a security disaster.

I'm wondering if there is any statement or reaction from either gnome
or fedora on this.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ