Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 21 Sep 2017 14:58:59 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: ?????? <lianyihan@....cn>
Subject: Re: CVE-2017-14160: libvorbis-1.3.5 bark_noise_hybridmp() integer signedness bug

Hi,

This was sent to the list with only "CVE-2017-14160" as the Subject.
That's against oss-security list content guidelines:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

"When applicable, the message Subject must include the name and
version(s) of affected software, and vulnerability type.  For example, a
Subject saying only "CVE-2099-99999" is not appropriate, whereas
"CVE-2099-99999: Acme Placeholder 1.0 buffer overflow" would be OK."

As a moderator, I took the liberty of correcting the Subject to my best
guess of what it should have been, before approving the message.  This
guess is based purely on message content as follows.  I didn't analyze
the issue in its proper context.

On Thu, Sep 21, 2017 at 06:27:15AM +0000, ?????? wrote:
> (gdb) bt
> #0  0x0000000001f95afd in bark_noise_hybridmp (n=256, b=0x32cd940, f=0x32e5010, noise=0x32f7ed0, offset=140, fixed=-1) at psy.c:630

This shows the function name, n=256, and that the crash is on line 630.

> 628         if(hi>=n)break;
> 629
> 630         tN = N[hi] - N[lo];

> (gdb) p hi
> $4 = 0
> (gdb) p lo
> $5 = 49656                                                                 // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

And oops, looks like I misread this as "hi" being too high, whereas it
was actually "lo" that was too high.  So I thought the check on line 628
was wrongly a signed check (or else a "hi" that is too high wouldn't
pass it).  But actually the bug is probably the lack of check of "lo".

So if anyone needs a description for tracking this issue, for now it
should be "libvorbis-1.3.5 bark_noise_hybridmp() out of bounds access".

I guess the lessons here are:

1. People posting to oss-security should adhere to the list guidelines.

2. People should prioritize vulnerability analysis over obtaining CVE IDs.
If can't analyze (no skills, desire, time), include some more general
description like "crash" or "out of bounds access" - it wouldn't be very
specific, but would show the (very limited) extent of analysis up to that
point and would (hopefully) be correct.

3. As a moderator willing to put very little time per message, maybe I
shouldn't try to over-do my job, and if I do correct obviously unsuitable
message Subjects (like this message originally had), then do so only in
the minimal manner suggested above.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.