[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: August Report

Hi Raphaël, Roberto,

> > >    These CVEs are especially difficult to reproduce because wheezy's gcc
> > >    doesn't have asan and reproduction conditions might require a specific
> > >    setup.
> > 
> > FWIW, I have been able to reproduce quite a few issues detected by ASAN
> > with valgrind which does similar checks (albeit implemented in a different
> > way).
> > 
> I have also had success rebuilding the wheezy package in jessie, which
> has a new enough gcc to support ASAN.  Of course, that approach only
> works for packages whose dependencies are still largely intact in
> jessie.

Thanks for the advice. This is what I usually do at first when I have to
reproduce this kind of issues. In this case however I couldn't
reproduce it at all, neither with valgrind nor with asan in Jessie.

Agostino suggested me to rebuild the dependencies with debug
flags/protections disabled to see if I can get something, and it didn't
improve the situation. I can only detect some memory leaks probably related
to the vulnerability.

I have opened a bug report on upstream's bug tracker and hope they will have
a look at it for 3.100.


[0] https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/

             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA

Attachment: signature.asc
Description: PGP signature

Reply to: