Date: Tue, 11 Jul 2017 10:02:02 +0200 From: "Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de> To: oss-security@...ts.openwall.com Subject: Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Thanks to all for the clarifications. Am Mon, 10 Jul 2017 20:24:01 -0600 schrieb Kurt Seifried <kseifried@...hat.com>: > On 2017-07-10 8:04 PM, Michal Zalewski wrote: > >> It's hard to see a security issue here > > I'm not sure this applies here, but the use of uninitialized memory > > can be an issue when, say, a website calls your code to convert > > user-controlled audio (e.g., to optimize it for streaming). Yeah, in this case it is read access spilling over to adjacent static variables in the code. They are either contstant at compile-time or initialised to the same values on each run. > Heartbleed was "only" 64k (that's actually a pretty huge amount for > sensitive data). Here, it's 128 bytes of an adjacent table instead of the intended one (planned for a 4-bit index, got a 5-bit one). It's bad audio being produced, but from input that very likely was bad to begin with (still no valid input data at hand that triggers this). I would like the CVE description to mention that this is only Denial of Service with something like the AddressSanitizer, as it is guaranteed to be memory belonging to the respective process, just up to 128 bytes off the mark. Not even heap buffers involved. Of course this was not clear when reporting, but it's really just those 128 bytes inside static variables in the code. My program accesses memory that belongs to my program … unless the compiler inserts forbidden zones in there. I am not bothered enough to dispute the CVE. In the end it's a bug and it had to be fixed. But I won't mention the CVE in the commit message as it's already done and you don't change history with subversion. You will have to make do with the entry in the NEWS file on release;-) Alrighty then, Thomas -- Dr. Thomas Orgis Universität Hamburg RRZ / Basisinfrastruktur / HPC Schlüterstr. 70 20146 Hamburg Tel.: 040/42838 8826 Fax: 040/428 38 6270 [ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ