Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 10 Jul 2017 18:28:37 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: mpg123: global buffer overflow in III_i_stereo
 (layer3.c)

On Mon, Jul 10, 2017 at 11:42:53AM +0200, Dr. Thomas Orgis wrote:
> Is this really worth a CVE, though? So far I was only able to see a
> crash triggered by the AddressSanitizer. Never from a normal build. So

It is common to assign CVEs for issues discovered via fuzzers and
sanitizers even if the consequences aren't visible without them: perhaps
the consequences aren't visible to users only by accident.

Some people only accept a vulnerability report if there's an exploit that
goes along with it but developing even a proof of concept is difficult
and error-prone. Lack of an exploit doesn't prove that an issue can safely
be ignored. (There's always someone more dedicated to writing an exploit.)

Assigning a CVE number makes downstream consumers aware of the issue and
each can prioritize a fix as they see fit based on their own threat models.

> every build of mpg123 in the wild, except for extremely hardened
> distros that build everything with GCC's sanitizers enabled for daily
> use, is not affected. Are people running binaries in production with
> the sanitizers on?

I believe the general consensus is that only the UBSAN sanitizer is safe
for 'daily use'; the others aren't themselves security hardened and in
fact have lead to exploits. This thread has more discussion:
http://www.openwall.com/lists/oss-security/2016/02/18/1

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.