What do do regarding the freeze?
Martin Steghöfer
martin at steghoefer.eu
Wed Nov 5 23:44:03 UTC 2014
Petter Reinholdtsen wrote:
>> I agree. An invalid memory access can crash the whole application
>> that uses it, so that could qualify for severity "important".
> "invalid memory access" raise a red flag with me regarding security.
> I have not looked at the code, but would like us to be very sure the
> issue isn't remotely explorable before decide it isn't a security
> issue. If it is a security issue, the severity should be higher than
> important, I believe.
Back when I was creating the fix, I looked into the security aspect
quickly and didn't find any indication of exploitability. The invalid
access is only a read access and the invalid read isn't close to any
code that could be influenced by the read value.
Now that the topic came up again, I've looked into it a little bit
deeper, checking if the undefined value is copied to a place where it
can actually do harm: Although the undefined value is initially copied
to several other array elements, it doesn't end up anywhere relevant
(confirmed by a python-scripted gdb run that follows the values by
dynamically setting up read watch points) - at least not in the
particular case of the invalid access when called by oggenc. To tell for
other cases, you'd have to do some advanced data flow analysis.
So right now nothing points to exploitability. But I'm no security
expert and certainly not capable of guaranteeing that it cannot be
exploited in other contexts.
But this is something we can look into in more detail, if it really
becomes necessary. Don't you think we have good chance of getting this
into Jessie, even without it being security critical?
I know that there is also the aspect of distributing the patch quickly
to upstream and other distributions, if it turns out to be security
critical. But I think that is something that upstream should take care
of, isn't it? So maybe that's the important part: Making upstream aware
of the problem and forwarding the path.
Cheers,
Martin
More information about the pkg-xiph-maint
mailing list