Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Jul 2017 12:34:36 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: "Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de>
Subject: Re: mpg123: global buffer overflow in III_i_stereo (layer3.c)

All the info were updated.


On Monday 10 July 2017 11:42:53 Dr. Thomas Orgis wrote:
> Is this really worth a CVE, though? So far I was only able to see a
> crash triggered by the AddressSanitizer.

Often, when there is an out-of-bound condition there is no crash, and the 
application works as expected. It is only visible with debuggers or in case of 
stack overflow with fortify_source enabled, so I think it's an expected 
behaviour.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ