Hi, I've had a look at the CVEs currently affecting lame in wheezy but couldn't reproduce CVE-2017-9869, CVE-2017-9870, CVE-2017-9871 and CVE-2017-9872 on my system. This is weird because the wheezy version is identical to the one mentioned in the cve. I've asked agostino for more build informations but didn't get any answer yet. Could any of you try to reproduce them ? The reproducers are online: CVE-2017-9869[0], CVE-2017-9870[1], CVE-2017-9871[2], CVE-2017-9872[3]. You'll need to compile lame with asan, which is not available in the wheezy version of gcc (I've compiled and tested it in a Jessie virtual machine, if any of you have a better solution, I'd like to hear it). cheers, Hugo [0] https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c/ [1] https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-iii_i_stereo-layer3-c/ [2] https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/ [3] https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c/ -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
Attachment:
signature.asc
Description: PGP signature