Date: Thu, 10 Jan 2013 20:02:13 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: CVE request: opus codec before 1.0.2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 13 Dec 2012 16:35:09 -0700 Kurt Seifried <kseifried@...hat.com> wrote: > No problem, not assigning for now unless someone comes up with a > security impact/additional info/etc. I brought it up in #opus on irc. Sounds to me it is a - low impact - security issue and should get a CVE. <hanno> one question about the 1.0.2 release: is the "our of bounds read" security relevant? <hanno> this was asked on oss-security (i.e. the question if this should get a CVE id) <rillian> heh <rillian> hanno: it's a bounded out of bounds read <gmaxwell> Movers came to do a walkthrough this morning. <rillian> so it's definitely a denial of service <rillian> although we never managed to generate a crash example against Firefox <jmspeex> hanno: In *theory* could could cause a decoder to crash but so far (AFAIK) we haven't been able to even do that <gmaxwell> hanno: it can be a DOS at least for some kinds of callers. If the caller won't otherwise accept a packet >16mbytes (e.g. an rtp one) then it's not a concern. <derf> hanno: Well, when we asked the Mozilla security guys about it, they said <derf> 14:58:36 <@dveditz> rillian: I'm pretty OK issuing CVE's for OPUS if we need to <derf> 14:58:53 <@dveditz> but bugs like that don't typically get a CVE <derf> 14:59:02 <@dveditz> otherwise Mitre would run out of numbers <rillian> :) <jmspeex> IOW, with a lot of effort you can achieve something nearly as scary as what anyone can achieve more easily though tons of other known issues - -- Hanno Böck mail/jabber: hanno@...eck.de GPG: BBB51E42 http://www.hboeck.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBCAAGBQJQ7xA4AAoJEKWIAHK7tR5CtisP/1I6vq6PH57CBhXdTK24SEHD +osRi6Ke+L6pmEdYlyx6bzHbc5zM7KYMXrBkTqZbHgarDm89JP6WzDLnjYe/hn0w s92emrDrk+Khp2zfQ4Oep6mO8dufDApV1NxQssENR99d9vmW5juzlQCSdri7/NcT wViWcfkMTprVox4L+j+5bb4arNDYKtqcFQReCSB6csuvFo21vaI90GAWDVwTW3Om ppmeTHymDHctVHnqcjLMHGqF+PuQTatA/e4AxkNlJ3jIDgWOk3hEoaRNTm/BFavA 9sNwHG+nhkfb8Rh1b5Qa1ZqjPqjhli2D7creROryK13l3n/Qeg627ztrxegNCQzv BHS8xAosXGdWrzQl6HYf/Dnfkoe5b5aqdZniRX1WBQ8h9Fz+rMTHnqrHE9jyFIyy dMMCNSjEKz73VCUCaedRMSggiMO+RiZrgGOZsnJNuYiqZ/KEi4s+6EHGpMzpRcVN T5PvB0Mq/o3Rjcav6JDV20CaFWgJtAdtI1xRfw5fxysRD0IMF2u4L6ov1zai3vI7 kNGLuoYFFfi4EPS+YeO+qS07f0BODzNnVoWEC+gKZ2+CVm96l2XbwkWqac3g/F1k 7pyfR/iVmRB5XrR55g4ACRrp24VkJd7AR9H9E8g6mEn83hCXMmD3FPNsaYRsgVyo UwhegAJk4Tlhx/vt/wDb =5oMq -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.