Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Jul 2017 10:02:02 +0200
From: "Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de>
To: oss-security@...ts.openwall.com
Subject: Re: mpg123: global buffer overflow in III_i_stereo
 (layer3.c)

Thanks to all for the clarifications.

Am Mon, 10 Jul 2017 20:24:01 -0600
schrieb Kurt Seifried <kseifried@...hat.com>: 

> On 2017-07-10 8:04 PM, Michal Zalewski wrote:
> >> It's hard to see a security issue here  
> > I'm not sure this applies here, but the use of uninitialized memory
> > can be an issue when, say, a website calls your code to convert
> > user-controlled audio (e.g., to optimize it for streaming).

Yeah, in this case it is read access spilling over to adjacent static
variables in the code. They are either contstant at compile-time or
initialised to the same values on each run.

> Heartbleed was "only" 64k (that's actually a pretty huge amount for
> sensitive data).

Here, it's 128 bytes of an adjacent table instead of the intended one
(planned for a 4-bit index, got a 5-bit one). It's bad audio being
produced, but from input that very likely was bad to begin with (still
no valid input data at hand that triggers this).

I would like the CVE description to mention that this is only Denial of
Service with something like the AddressSanitizer, as it is guaranteed
to be memory belonging to the respective process, just up to 128 bytes
off the mark. Not even heap buffers involved. Of course this was not
clear when reporting, but it's really just those 128 bytes inside
static variables in the code. My program accesses memory that belongs
to my program … unless the compiler inserts forbidden zones in there.

I am not bothered enough to dispute the CVE. In the end it's a bug and
it had to be fixed. But I won't mention the CVE in the commit message
as it's already done and you don't change history with subversion. You
will have to make do with the entry in the NEWS file on release;-)


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
Universität Hamburg
RRZ / Basisinfrastruktur / HPC
Schlüterstr. 70
20146 Hamburg
Tel.: 040/42838 8826
Fax: 040/428 38 6270

Download attachment "smime.p7s" of type "application/pkcs7-signature" (5898 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.