Date: Mon, 10 Jul 2017 20:24:01 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com, Michal Zalewski <lcamtuf@...edump.cx> Subject: Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) On 2017-07-10 8:04 PM, Michal Zalewski wrote: >> It's hard to see a security issue here > I'm not sure this applies here, but the use of uninitialized memory > can be an issue when, say, a website calls your code to convert > user-controlled audio (e.g., to optimize it for streaming). For > libraries, this could leak some information about the audio converted > for other users, possibly revealing it to the attacker. For one-shot > conversions with a command-line tool, this is unlikely, but the > uninitialized memory could still end up leaking some system-specific > secrets (e.g., ASLR memory layout, credentials, etc). Just a reminder to all, a worst case scenario to the above: https://twitter.com/taviso/status/832744397800214528?lang=en > Not that this is necessarily a risk here; depends on how much memory > is accessed, what happens with it later on, whether anyone is even > using the library / tool this way, whether doing so is sane in the > first place, etc. > > /mz Heartbleed was "only" 64k (that's actually a pretty huge amount for sensitive data). -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ