oss-security - Re: Re: CVE Request -- libsndfile -- Integer overflow by processing certain PAF files

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <CAOSRhRM8Ct2UMkcp-cAX=RBcVaWe4Q4ktiJ4jKdi8Yi-DkPJWQ@mail.gmail.com>
Date: Fri, 15 Jul 2011 06:49:52 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Cc: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, 
	Secunia Research <vuln@...unia.com>
Subject: Re: Re: CVE Request -- libsndfile -- Integer overflow
 by processing certain PAF files

>
> In terms of ease of exploitation, this one has to be in the very difficult
> basket.
>

I agree, this would be difficult to exploit.

>> It's better to be safe than sorry.
>
> That's why I rushed out a new release. I do take this seriously, but
> I do not like to see the threat exaggerated beyond reason.
>

I didn't mean to imply we should be panicking and running for the
hills. Just that the assessment that this is *potentially* exploitable
for code execution is accurate and is most helpful to distributions
and users when gauging risk and determining when to release and apply
updates.

-Dan

> Erik
> --
> ----------------------------------------------------------------------
> Erik de Castro Lopo
> http://www.mega-nerd.com/
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.