Date: Mon, 10 Jul 2017 12:34:36 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Cc: "Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de> Subject: Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) All the info were updated. On Monday 10 July 2017 11:42:53 Dr. Thomas Orgis wrote: > Is this really worth a CVE, though? So far I was only able to see a > crash triggered by the AddressSanitizer. Often, when there is an out-of-bound condition there is no crash, and the application works as expected. It is only visible with debuggers or in case of stack overflow with fortify_source enabled, so I think it's an expected behaviour. -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ