Re: CVE request: opus codec before 1.0.2

[Hanno Böck <hanno () hboeck de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 13 Dec 2012 16:35:09 -0700
Kurt Seifried <kseifried () redhat com> wrote:

> No problem, not assigning for now unless someone comes up with a
> security impact/additional info/etc.

I brought it up in #opus on irc. Sounds to me it is a - low impact -
security issue and should get a CVE.

<hanno> one question about the 1.0.2 release: is the "our of bounds
read" security relevant?
<hanno> this was asked on oss-security (i.e.
the question if this should get a CVE id) <rillian> heh
<rillian> hanno: it's a bounded out of bounds read
<gmaxwell> Movers came to do a walkthrough this morning.
<rillian> so it's definitely a denial of service
<rillian> although we never managed to generate a crash example against
Firefox
<jmspeex> hanno: In *theory* could could cause a decoder to
crash but so far (AFAIK) we haven't been able to even do that
<gmaxwell> hanno: it can be a DOS at least for some kinds of callers.
If the caller won't otherwise accept a packet >16mbytes (e.g. an rtp
one) then it's not a concern.
<derf> hanno: Well, when we asked the
Mozilla security guys about it, they said
<derf> 14:58:36 <@dveditz> rillian: I'm pretty OK issuing CVE's for
OPUS if we need to
<derf> 14:58:53 <@dveditz> but bugs like that don't
typically get a CVE
<derf> 14:59:02 <@dveditz> otherwise Mitre would
run out of numbers
<rillian> :)
<jmspeex> IOW, with a lot of effort you
can achieve something nearly as scary as what anyone can achieve more
easily though tons of other known issues

- -- 
Hanno Böck              mail/jabber: hanno () hboeck de
GPG: BBB51E42           http://www.hboeck.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBCAAGBQJQ7xA4AAoJEKWIAHK7tR5CtisP/1I6vq6PH57CBhXdTK24SEHD
+osRi6Ke+L6pmEdYlyx6bzHbc5zM7KYMXrBkTqZbHgarDm89JP6WzDLnjYe/hn0w
s92emrDrk+Khp2zfQ4Oep6mO8dufDApV1NxQssENR99d9vmW5juzlQCSdri7/NcT
wViWcfkMTprVox4L+j+5bb4arNDYKtqcFQReCSB6csuvFo21vaI90GAWDVwTW3Om
ppmeTHymDHctVHnqcjLMHGqF+PuQTatA/e4AxkNlJ3jIDgWOk3hEoaRNTm/BFavA
9sNwHG+nhkfb8Rh1b5Qa1ZqjPqjhli2D7creROryK13l3n/Qeg627ztrxegNCQzv
BHS8xAosXGdWrzQl6HYf/Dnfkoe5b5aqdZniRX1WBQ8h9Fz+rMTHnqrHE9jyFIyy
dMMCNSjEKz73VCUCaedRMSggiMO+RiZrgGOZsnJNuYiqZ/KEi4s+6EHGpMzpRcVN
T5PvB0Mq/o3Rjcav6JDV20CaFWgJtAdtI1xRfw5fxysRD0IMF2u4L6ov1zai3vI7
kNGLuoYFFfi4EPS+YeO+qS07f0BODzNnVoWEC+gKZ2+CVm96l2XbwkWqac3g/F1k
7pyfR/iVmRB5XrR55g4ACRrp24VkJd7AR9H9E8g6mEn83hCXMmD3FPNsaYRsgVyo
UwhegAJk4Tlhx/vt/wDb
=5oMq
-----END PGP SIGNATURE-----