Hi Raphaël, Roberto,
> > > These CVEs are especially difficult to reproduce because wheezy's gcc
> > > doesn't have asan and reproduction conditions might require a specific
> > > setup.
> >
> > FWIW, I have been able to reproduce quite a few issues detected by ASAN
> > with valgrind which does similar checks (albeit implemented in a different
> > way).
> >
> I have also had success rebuilding the wheezy package in jessie, which
> has a new enough gcc to support ASAN. Of course, that approach only
> works for packages whose dependencies are still largely intact in
> jessie.
Thanks for the advice. This is what I usually do at first when I have to
reproduce this kind of issues. In this case however I couldn't
reproduce it at all, neither with valgrind nor with asan in Jessie.
Agostino suggested me to rebuild the dependencies with debug
flags/protections disabled to see if I can get something, and it didn't
improve the situation. I can only detect some memory leaks probably related
to the vulnerability.
I have opened a bug report on upstream's bug tracker and hope they will have
a look at it for 3.100.
Regards,
Hugo
[0] https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature