Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Sep 2017 14:58:59 +0200
From: Solar Designer <>
Cc: ?????? <>
Subject: Re: CVE-2017-14160: libvorbis-1.3.5 bark_noise_hybridmp() integer signedness bug


This was sent to the list with only "CVE-2017-14160" as the Subject.
That's against oss-security list content guidelines:

"When applicable, the message Subject must include the name and
version(s) of affected software, and vulnerability type.  For example, a
Subject saying only "CVE-2099-99999" is not appropriate, whereas
"CVE-2099-99999: Acme Placeholder 1.0 buffer overflow" would be OK."

As a moderator, I took the liberty of correcting the Subject to my best
guess of what it should have been, before approving the message.  This
guess is based purely on message content as follows.  I didn't analyze
the issue in its proper context.

On Thu, Sep 21, 2017 at 06:27:15AM +0000, ?????? wrote:
> (gdb) bt
> #0  0x0000000001f95afd in bark_noise_hybridmp (n=256, b=0x32cd940, f=0x32e5010, noise=0x32f7ed0, offset=140, fixed=-1) at psy.c:630

This shows the function name, n=256, and that the crash is on line 630.

> 628         if(hi>=n)break;
> 629
> 630         tN = N[hi] - N[lo];

> (gdb) p hi
> $4 = 0
> (gdb) p lo
> $5 = 49656                                                                 // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

And oops, looks like I misread this as "hi" being too high, whereas it
was actually "lo" that was too high.  So I thought the check on line 628
was wrongly a signed check (or else a "hi" that is too high wouldn't
pass it).  But actually the bug is probably the lack of check of "lo".

So if anyone needs a description for tracking this issue, for now it
should be "libvorbis-1.3.5 bark_noise_hybridmp() out of bounds access".

I guess the lessons here are:

1. People posting to oss-security should adhere to the list guidelines.

2. People should prioritize vulnerability analysis over obtaining CVE IDs.
If can't analyze (no skills, desire, time), include some more general
description like "crash" or "out of bounds access" - it wouldn't be very
specific, but would show the (very limited) extent of analysis up to that
point and would (hopefully) be correct.

3. As a moderator willing to put very little time per message, maybe I
shouldn't try to over-do my job, and if I do correct obviously unsuitable
message Subjects (like this message originally had), then do so only in
the minimal manner suggested above.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.