Date: Mon, 10 Jul 2017 18:28:37 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) On Mon, Jul 10, 2017 at 11:42:53AM +0200, Dr. Thomas Orgis wrote: > Is this really worth a CVE, though? So far I was only able to see a > crash triggered by the AddressSanitizer. Never from a normal build. So It is common to assign CVEs for issues discovered via fuzzers and sanitizers even if the consequences aren't visible without them: perhaps the consequences aren't visible to users only by accident. Some people only accept a vulnerability report if there's an exploit that goes along with it but developing even a proof of concept is difficult and error-prone. Lack of an exploit doesn't prove that an issue can safely be ignored. (There's always someone more dedicated to writing an exploit.) Assigning a CVE number makes downstream consumers aware of the issue and each can prioritize a fix as they see fit based on their own threat models. > every build of mpg123 in the wild, except for extremely hardened > distros that build everything with GCC's sanitizers enabled for daily > use, is not affected. Are people running binaries in production with > the sanitizers on? I believe the general consensus is that only the UBSAN sanitizer is safe for 'daily use'; the others aren't themselves security hardened and in fact have lead to exploits. This thread has more discussion: http://www.openwall.com/lists/oss-security/2016/02/18/1 Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ