Date: Tue, 22 Nov 2016 07:31:29 -0500 From: Alex Gaynor <alex.gaynor@...il.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: CVE Request: gstreamer plugins Another exploit chain here: https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.html Alex On Sat, Nov 19, 2016 at 5:59 AM, Hanno Böck <hanno@...eck.de> wrote: > Hi, > > > On Fri, 18 Nov 2016 17:31:19 +0100 > Marcus Meissner <meissner@...e.de> wrote: > > > 1. Bufferoverflow in VMNC decoder in gstreamer plugins: > > https://scarybeastsecurity.blogspot.de/2016/11/0day-poc- > risky-design-decisions-in.html > > I wanted to point out that while it's good the buffer overflow gets > fixed, that's by far not the major issue here. > > This is a very problematic design decision with the functionality of > tracker/GNOME that exposes all files on a system to who knows how many > decoders of probably overall very low quality. > Almost certainly there are countless other vulnerabilities of similar > kind in all kinds of gstreamer codecs. (and I haven't checked, but I > assume tracker also exposes other files to other equally problematic > decoders) > > I think this is kinda a symptom of two goals clashing: We have projects > like gstreamer that attempt to parse every file format ever seen in > their are - which of course has some value, especially in terms of > preserving digital culture. But on the other hand exposing this code to > untrusted inputs is a security disaster. > > I'm wondering if there is any statement or reaction from either gnome > or fedora on this. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: hanno@...eck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ