| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <54BCD0D8.4000300@gmail.com> Date: Mon, 19 Jan 2015 11:39:36 +0200 From: Paris Zoumpouloglou <pariszoump@...il.com> To: fulldisclosure@...lists.org Subject: [FD] vorbis-tools issues ---------- Background ---------- Vorbis tools is a package containing tools to use, manipulate and create Vorbis files. ---------------- Software Version ---------------- All tests were performed using vorbis-tools latest svn (Revision: 19440) ----------- Description ----------- During a fuzzing session (using afl-fuzzer) two issues were discovered in oggenc tool of vorbis-tools : * a division by zero bug * an integer overflow leading to out-of-bounds memory read Both issues are triggered by the number of channels in the input WAV file. More info can be found at : https://trac.xiph.org/ticket/2137 (division by zero) https://trac.xiph.org/ticket/2136 (integer overflow) -------- Timeline -------- 2014-12-29 Issue reported to xiph.org bug tracker 2014-01-18 No response, public disclosure -- Paris Zoumpouloglou @pzmini0n https://projectzero.gr _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists