Hi On Tue, Jan 17, 2017 at 01:25:27AM -0500, Jean-Marc Valin wrote: > Hi, > > CVE-2017-0381 states that: > "A remote code execution vulnerability in silk/NLSF_stabilize.c in > libopus in Mediaserver could enable an attacker using a specially > crafted file to cause memory corruption during media file and data > processing." > > Now I'm not sure who did the analysis of this bug, but the analysis we > did concluded that the very worst that could happen was a slightly out > of bounds *read* 256 bytes before a constant table. What this means in > practice is that the value is read from another table and the decoded > data audio will sound bad (which was already going to happen if you're > decoding garbage data). > > The worst case that could happen is a plain crash. This would happen if > the code is compiled with assertions (the code would assert before > making the read), or -- if you're really unlucky -- if the table is > placed just after some unreadable memory. > > So while the bug definitely needed to be fixed -- and was fixed back in > July -- we don't consider it to be a severe security issue. If you > disagree with our analysis, could you point out what we missed?
Apologies for the long delay, Jean-Marc. Thanks a lot for your analysis. Ron, would it be possible that you fix that issue via an upcoming point release for jessie? It would not warrant a DSA on it's own. Regards, Salvatore
