oss-sec mailing list archives
Re: CVE request: opus codec before 1.0.2
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 13 Dec 2012 22:29:32 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 11 Dec 2012 11:02:15 -0700 Kurt Seifried <kseifried () redhat com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/11/2012 05:32 AM, Hanno Böck wrote:http://lists.xiph.org/pipermail/opus/2012-December/001846.html sounds like a low-severity security issue: "Opus 1.0.2 fixes an out-of-bounds read that could be triggered by a malicious Opus packet by causing an integer wrap-around in the padding code. Considering that the packet would have to be at least 16 MB in size and that no out-of-bounds write is possible, the severity is very low." Fixed in opus 1.0.2.What's the security impact? does the service crash?
I don't know any details, just read the release announcement and it sounded security relevant. This is the commit: http://git.xiph.org/?p=opus.git;a=commit;h=466c879a063e77941b95a6a0298905ba707667ac Sorry, I don't know more. - -- Hanno Böck mail/jabber: hanno () hboeck de GPG: BBB51E42 http://www.hboeck.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBCAAGBQJQyki/AAoJEKWIAHK7tR5CxZ8P/A40tOa/eto6cCuBMY7DIOmu mjzMR6rvirmCUaWNLnhlPulSctF4TZNfJtRGSVPvxKSKcvqMqNJjG64A2nhIVmFt 3DU/OaB2TvmiMQWQv+d3MXtN1rfzRNfSViUHTXKhMH2WaZgc5efjo5ZRcYiFtBG9 nIpjZZKv7VhbM8nJ0hB3+l6pQF3x7CVCHilt9Rguk301bI8WzxejHsZub4w0uyiB UTpwmNEXif9KwLP5a8xLmWTiCem88Tfsytz+JaZmJWlnQX+X+dJjb8YG06LC7kyy bPbGsin1gFje2Cpl88sZxb4BoKn6aRoBfW6SeLHU7U9BFFAQE145jbEglVQnIPz/ c3dxTg8lQieXOzWPmCzJ158pW/7qCEFCKktTPshJpFGALM3f8BO+nWotv/mOcJCK AqzoJ0mbx6bTtO+w9EC+WHeVtzimuaiGIg40l+NI7nc+EXbXWxSVnT5PgN/hbv1h n+Bn4dgpejWsxQH1KGyHPrYpruqfCaLDpuPKaxLQlzcS3+WDUyKYUbTQR1+xF2Ff Wj0R93jGdkFBYf1g43MwFe0vr46eNMeKHDi/ULg/tKq00YtTIa3FOdm7JQGTNEAL 8qwfP/dCO88i6UZ54tdRJQMXbXCupRDZQ5Nbv/jwZtZzfFwXf+4nfLQWFhr+aIv+ 0R8bD6KcvpHpGSl9MnZo =SlcG -----END PGP SIGNATURE-----
Current thread:
- CVE request: opus codec before 1.0.2 Hanno Böck (Dec 11)
- Re: CVE request: opus codec before 1.0.2 Kurt Seifried (Dec 11)
- Re: CVE request: opus codec before 1.0.2 Hanno Böck (Dec 13)
- Re: CVE request: opus codec before 1.0.2 Kurt Seifried (Dec 13)
- Re: CVE request: opus codec before 1.0.2 Hanno Böck (Dec 13)
- Re: CVE request: opus codec before 1.0.2 Kurt Seifried (Dec 11)