(Please keep the bug's email address in Cc with any information on this bug that is intended to be public.)
On 10/03/14 12:06, Gustavo Grieco wrote: > Have you already reported this bug to mp3gain's upstream developer > <http://mp3gain.sourceforge.net/> > > I haven't. Should I now? You probably know more about this bug and its implications than I do, so yes, please do. Please reply to this bug report with a link to the upstream bug. I must admit I'm rather surprised to see a member of a "team working in vulnerability research" reporting this as a public bug to Debian without having notified either upstream or the Debian security team privately. Please consider practising responsible disclosure in future vulnerability reports. > How did you find this overflow? Did you use a fuzzer or similar to > construct > your PoC, or did you locate a specific buffer that was overflowed by > inspecting the source code, or what? > > In fact, no source code was used. For the vulnerability discovery, we > used Mayhem combined with a new technique to fuzz based on automatic > input detection and seed minimization. > And for exploitation, we used a blackbox tool that automatically > generate a working exploit. It is very effective (it requires to disable > DEP and ASRL, but these are only additions to the exploitation process). > We have hundreds of these small exploits, waiting for a response from > the Debian Security team on how to submit them (since we don't want to > SPAM them). I think it's highly unlikely that the desired submission mechanism is going to be "open public bugs in Debian without notifying the packages' upstreams"... > I'm not very familiar with the -fsanitize flag of gcc. Nevertheless, i > think that enabling the full stack protection available in gcc > (-fstack-protector-all) will be an effective mitigation. I'm not so sure. It's already compiled with "-fstack-protector --param=ssp-buffer-size=4", and the static buffer in question is considerably larger than 4 bytes, so I don't see how -fstack-protector-all would help us. >From the buildd reports I've had back, it looks as though -fsanitize=address only works on x86, so I'm going to have to undo this mitigation on other architectures. S -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
