Re: mpg123: global buffer overflow in III_i_stereo (layer3.c)

[Seth Arnold <seth.arnold () canonical com>]

On Mon, Jul 10, 2017 at 11:42:53AM +0200, Dr. Thomas Orgis wrote:
> Is this really worth a CVE, though? So far I was only able to see a
> crash triggered by the AddressSanitizer. Never from a normal build. So

It is common to assign CVEs for issues discovered via fuzzers and
sanitizers even if the consequences aren't visible without them: perhaps
the consequences aren't visible to users only by accident.

Some people only accept a vulnerability report if there's an exploit that
goes along with it but developing even a proof of concept is difficult
and error-prone. Lack of an exploit doesn't prove that an issue can safely
be ignored. (There's always someone more dedicated to writing an exploit.)

Assigning a CVE number makes downstream consumers aware of the issue and
each can prioritize a fix as they see fit based on their own threat models.

> every build of mpg123 in the wild, except for extremely hardened
> distros that build everything with GCC's sanitizers enabled for daily
> use, is not affected. Are people running binaries in production with
> the sanitizers on?

I believe the general consensus is that only the UBSAN sanitizer is safe
for 'daily use'; the others aren't themselves security hardened and in
fact have lead to exploits. This thread has more discussion:
http://www.openwall.com/lists/oss-security/2016/02/18/1

Thanks

Attachment: signature.asc
Description: