Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Nov 2016 07:31:29 -0500
From: Alex Gaynor <alex.gaynor@...il.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: gstreamer plugins

Another exploit chain here:
https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.html

Alex

On Sat, Nov 19, 2016 at 5:59 AM, Hanno Böck <hanno@...eck.de> wrote:

> Hi,
>
>
> On Fri, 18 Nov 2016 17:31:19 +0100
> Marcus Meissner <meissner@...e.de> wrote:
>
> > 1. Bufferoverflow in VMNC decoder in gstreamer plugins:
> >       https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-
> risky-design-decisions-in.html
>
> I wanted to point out that while it's good the buffer overflow gets
> fixed, that's by far not the major issue here.
>
> This is a very problematic design decision with the functionality of
> tracker/GNOME that exposes all files on a system to who knows how many
> decoders of probably overall very low quality.
> Almost certainly there are countless other vulnerabilities of similar
> kind in all kinds of gstreamer codecs. (and I haven't checked, but I
> assume tracker also exposes other files to other equally problematic
> decoders)
>
> I think this is kinda a symptom of two goals clashing: We have projects
> like gstreamer that attempt to parse every file format ever seen in
> their are - which of course has some value, especially in terms of
> preserving digital culture. But on the other hand exposing this code to
> untrusted inputs is a security disaster.
>
> I'm wondering if there is any statement or reaction from either gnome
> or fedora on this.
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno@...eck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ