mailing list archives
Re: CVE request: opus codec before 1.0.2
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 10 Jan 2013 20:02:13 +0100
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 13 Dec 2012 16:35:09 -0700
Kurt Seifried <kseifried () redhat com> wrote:
No problem, not assigning for now unless someone comes up with a
security impact/additional info/etc.
I brought it up in #opus on irc. Sounds to me it is a - low impact -
security issue and should get a CVE.
<hanno> one question about the 1.0.2 release: is the "our of bounds
read" security relevant?
<hanno> this was asked on oss-security (i.e.
the question if this should get a CVE id) <rillian> heh
<rillian> hanno: it's a bounded out of bounds read
<gmaxwell> Movers came to do a walkthrough this morning.
<rillian> so it's definitely a denial of service
<rillian> although we never managed to generate a crash example against
<jmspeex> hanno: In *theory* could could cause a decoder to
crash but so far (AFAIK) we haven't been able to even do that
<gmaxwell> hanno: it can be a DOS at least for some kinds of callers.
If the caller won't otherwise accept a packet >16mbytes (e.g. an rtp
one) then it's not a concern.
<derf> hanno: Well, when we asked the
Mozilla security guys about it, they said
<derf> 14:58:36 <@dveditz> rillian: I'm pretty OK issuing CVE's for
OPUS if we need to
<derf> 14:58:53 <@dveditz> but bugs like that don't
typically get a CVE
<derf> 14:59:02 <@dveditz> otherwise Mitre would
run out of numbers
<jmspeex> IOW, with a lot of effort you
can achieve something nearly as scary as what anyone can achieve more
easily though tons of other known issues
Hanno Böck mail/jabber: hanno () hboeck de
GPG: BBB51E42 http://www.hboeck.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
-----END PGP SIGNATURE-----
- Re: CVE request: opus codec before 1.0.2 Hanno Böck (Jan 10)