oss-sec mailing list archives
Re: CVE request: opus codec before 1.0.2
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 10 Jan 2013 20:02:13 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 13 Dec 2012 16:35:09 -0700 Kurt Seifried <kseifried () redhat com> wrote:
No problem, not assigning for now unless someone comes up with a security impact/additional info/etc.
I brought it up in #opus on irc. Sounds to me it is a - low impact - security issue and should get a CVE. <hanno> one question about the 1.0.2 release: is the "our of bounds read" security relevant? <hanno> this was asked on oss-security (i.e. the question if this should get a CVE id) <rillian> heh <rillian> hanno: it's a bounded out of bounds read <gmaxwell> Movers came to do a walkthrough this morning. <rillian> so it's definitely a denial of service <rillian> although we never managed to generate a crash example against Firefox <jmspeex> hanno: In *theory* could could cause a decoder to crash but so far (AFAIK) we haven't been able to even do that <gmaxwell> hanno: it can be a DOS at least for some kinds of callers. If the caller won't otherwise accept a packet >16mbytes (e.g. an rtp one) then it's not a concern. <derf> hanno: Well, when we asked the Mozilla security guys about it, they said <derf> 14:58:36 <@dveditz> rillian: I'm pretty OK issuing CVE's for OPUS if we need to <derf> 14:58:53 <@dveditz> but bugs like that don't typically get a CVE <derf> 14:59:02 <@dveditz> otherwise Mitre would run out of numbers <rillian> :) <jmspeex> IOW, with a lot of effort you can achieve something nearly as scary as what anyone can achieve more easily though tons of other known issues - -- Hanno Böck mail/jabber: hanno () hboeck de GPG: BBB51E42 http://www.hboeck.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBCAAGBQJQ7xA4AAoJEKWIAHK7tR5CtisP/1I6vq6PH57CBhXdTK24SEHD +osRi6Ke+L6pmEdYlyx6bzHbc5zM7KYMXrBkTqZbHgarDm89JP6WzDLnjYe/hn0w s92emrDrk+Khp2zfQ4Oep6mO8dufDApV1NxQssENR99d9vmW5juzlQCSdri7/NcT wViWcfkMTprVox4L+j+5bb4arNDYKtqcFQReCSB6csuvFo21vaI90GAWDVwTW3Om ppmeTHymDHctVHnqcjLMHGqF+PuQTatA/e4AxkNlJ3jIDgWOk3hEoaRNTm/BFavA 9sNwHG+nhkfb8Rh1b5Qa1ZqjPqjhli2D7creROryK13l3n/Qeg627ztrxegNCQzv BHS8xAosXGdWrzQl6HYf/Dnfkoe5b5aqdZniRX1WBQ8h9Fz+rMTHnqrHE9jyFIyy dMMCNSjEKz73VCUCaedRMSggiMO+RiZrgGOZsnJNuYiqZ/KEi4s+6EHGpMzpRcVN T5PvB0Mq/o3Rjcav6JDV20CaFWgJtAdtI1xRfw5fxysRD0IMF2u4L6ov1zai3vI7 kNGLuoYFFfi4EPS+YeO+qS07f0BODzNnVoWEC+gKZ2+CVm96l2XbwkWqac3g/F1k 7pyfR/iVmRB5XrR55g4ACRrp24VkJd7AR9H9E8g6mEn83hCXMmD3FPNsaYRsgVyo UwhegAJk4Tlhx/vt/wDb =5oMq -----END PGP SIGNATURE-----
Current thread:
- Re: CVE request: opus codec before 1.0.2 Hanno Böck (Jan 10)