Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Jul 2017 18:28:37 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: mpg123: global buffer overflow in III_i_stereo
 (layer3.c)

On Mon, Jul 10, 2017 at 11:42:53AM +0200, Dr. Thomas Orgis wrote:
> Is this really worth a CVE, though? So far I was only able to see a
> crash triggered by the AddressSanitizer. Never from a normal build. So

It is common to assign CVEs for issues discovered via fuzzers and
sanitizers even if the consequences aren't visible without them: perhaps
the consequences aren't visible to users only by accident.

Some people only accept a vulnerability report if there's an exploit that
goes along with it but developing even a proof of concept is difficult
and error-prone. Lack of an exploit doesn't prove that an issue can safely
be ignored. (There's always someone more dedicated to writing an exploit.)

Assigning a CVE number makes downstream consumers aware of the issue and
each can prioritize a fix as they see fit based on their own threat models.

> every build of mpg123 in the wild, except for extremely hardened
> distros that build everything with GCC's sanitizers enabled for daily
> use, is not affected. Are people running binaries in production with
> the sanitizers on?

I believe the general consensus is that only the UBSAN sanitizer is safe
for 'daily use'; the others aren't themselves security hardened and in
fact have lead to exploits. This thread has more discussion:
http://www.openwall.com/lists/oss-security/2016/02/18/1

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ