What do do regarding the freeze?
Petter Reinholdtsen
pere at hungry.com
Tue Nov 11 20:26:33 UTC 2014
[Martin Steghöfer]
> Back when I was creating the fix, I looked into the security aspect
> quickly and didn't find any indication of exploitability. The invalid
> access is only a read access and the invalid read isn't close to any
> code that could be influenced by the read value.
>
> Now that the topic came up again, I've looked into it a little bit
> deeper, checking if the undefined value is copied to a place where it
> can actually do harm: Although the undefined value is initially copied
> to several other array elements, it doesn't end up anywhere relevant
> (confirmed by a python-scripted gdb run that follows the values by
> dynamically setting up read watch points) - at least not in the
> particular case of the invalid access when called by oggenc. To tell
> for other cases, you'd have to do some advanced data flow analysis.
Good. If further analysis is needed, I hope upstream can contribute. :)
> So right now nothing points to exploitability. But I'm no security
> expert and certainly not capable of guaranteeing that it cannot be
> exploited in other contexts.
>
> But this is something we can look into in more detail, if it really
> becomes necessary. Don't you think we have good chance of getting this
> into Jessie, even without it being security critical?
No idea. Try filing a unblock request and see what the release team
have to say. :)
I uploaded the new libtheora today and just filed a unblock request for
it, to try to get the RC bug fixed in Jessie. I hope it get accepted
too, and expect it to work out just fine as it fixes a RC bug with an
obvious fix.
--
Happy hacking
Petter Reinholdtsen
More information about the pkg-xiph-maint
mailing list