lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Jan 2015 11:39:36 +0200
From: Paris Zoumpouloglou <pariszoump@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] vorbis-tools issues

----------
Background
----------

Vorbis tools is a package containing tools to use, manipulate and create
Vorbis files.

----------------
Software Version
----------------

All tests were performed using vorbis-tools latest svn (Revision: 19440)

-----------
Description
-----------

During a fuzzing session (using afl-fuzzer) two issues were discovered
in oggenc tool of vorbis-tools :

* a division by zero bug
* an integer overflow leading to out-of-bounds memory read


Both issues are triggered by the number of channels in the input WAV file.

More info can be found at :

https://trac.xiph.org/ticket/2137 (division by zero)
https://trac.xiph.org/ticket/2136 (integer overflow)


--------
Timeline
--------

2014-12-29 Issue reported to xiph.org bug tracker
2014-01-18 No response, public disclosure

-- 
Paris Zoumpouloglou
@pzmini0n

https://projectzero.gr



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists