Hi,
Over the past several weeks, I have been investigating various
vulnerabilities in lame[0] which I couldn't reproduce on any
Debian system. I have reported them to lame's upstream
which claims they are duplicates of other already reported
issues, with fixes available in the CVS (couldn't verify it by
myself, stack traces are slightly different).
What I tried:
- Build with clang < 4.0 and > 4.0
- Rebuild dependencies with different flags
- Use valgrind instead of asan
(I know this is already out of the LTS scope and I'm not going to
count all these hours in my report)
In fact I did detect something, but only memory leaks, not the
excepted overflows.
Even if I couldn't really reproduce these bugs I still think they
may be affecting Debian under specific conditions (e.g. build flags
of linked libraries...)
I briefly though of preparing a wheezy update cherry picking
upstream's fixes from the CVS but the diffs are quite big and
sometimes adressing several issues at the same time. Not a very good
idea.
Instead of applying the patches I'd propose to wait for lame 3.100
which I could backport to stretch, jessie and wheezy if the security
team thinks it's a good idea.
Otherwise we could simply mark these issues no-dsa because I have
already spent way too much time on them.
If some of you are interested in trying to reproduce them, this
would be helpful because I may be doing something wrong.
Regards,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/lame
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature