What do do regarding the freeze?

[Martin Steghöfer]

Petter Reinholdtsen wrote:
>> I agree. An invalid memory access can crash the whole application
>> that uses it, so that could qualify for severity "important".
> "invalid memory access" raise a red flag with me regarding security.
> I have not looked at the code, but would like us to be very sure the
> issue isn't remotely explorable before decide it isn't a security
> issue.  If it is a security issue, the severity should be higher than
> important, I believe.

Back when I was creating the fix, I looked into the security aspect 
quickly and didn't find any indication of exploitability. The invalid 
access is only a read access and the invalid read isn't close to any 
code that could be influenced by the read value.

Now that the topic came up again, I've looked into it a little bit 
deeper, checking if the undefined value is copied to a place where it 
can actually do harm: Although the undefined value is initially copied 
to several other array elements, it doesn't end up anywhere relevant 
(confirmed by a python-scripted gdb run that follows the values by 
dynamically setting up read watch points) - at least not in the 
particular case of the invalid access when called by oggenc. To tell for 
other cases, you'd have to do some advanced data flow analysis.

So right now nothing points to exploitability. But I'm no security 
expert and certainly not capable of guaranteeing that it cannot be 
exploited in other contexts.

But this is something we can look into in more detail, if it really 
becomes necessary. Don't you think we have good chance of getting this 
into Jessie, even without it being security critical?

I know that there is also the aspect of distributing the patch quickly 
to upstream and other distributions, if it turns out to be security 
critical. But I think that is something that upstream should take care 
of, isn't it? So maybe that's the important part: Making upstream aware 
of the problem and forwarding the path.

Cheers,
Martin