Re: mpg123: global buffer overflow in III_i_stereo (layer3.c)

[Kurt Seifried <kseifried () redhat com>]

On 2017-07-10 8:04 PM, Michal Zalewski wrote:
> > It's hard to see a security issue here
> I'm not sure this applies here, but the use of uninitialized memory
> can be an issue when, say, a website calls your code to convert
> user-controlled audio (e.g., to optimize it for streaming). For
> libraries, this could leak some information about the audio converted
> for other users, possibly revealing it to the attacker. For one-shot
> conversions with a command-line tool, this is unlikely, but the
> uninitialized memory could still end up leaking some system-specific
> secrets (e.g., ASLR memory layout, credentials, etc).
Just a reminder to all, a worst case scenario to the above:

https://twitter.com/taviso/status/832744397800214528?lang=en
> Not that this is necessarily a risk here; depends on how much memory
> is accessed, what happens with it later on, whether anyone is even
> using the library / tool this way, whether doing so is sane in the
> first place, etc.
>
> /mz
Heartbleed was "only" 64k (that's actually a pretty huge amount for
sensitive data).

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com