Hi Raphaël, Roberto, > > > These CVEs are especially difficult to reproduce because wheezy's gcc > > > doesn't have asan and reproduction conditions might require a specific > > > setup. > > > > FWIW, I have been able to reproduce quite a few issues detected by ASAN > > with valgrind which does similar checks (albeit implemented in a different > > way). > > > I have also had success rebuilding the wheezy package in jessie, which > has a new enough gcc to support ASAN. Of course, that approach only > works for packages whose dependencies are still largely intact in > jessie.
Thanks for the advice. This is what I usually do at first when I have to reproduce this kind of issues. In this case however I couldn't reproduce it at all, neither with valgrind nor with asan in Jessie. Agostino suggested me to rebuild the dependencies with debug flags/protections disabled to see if I can get something, and it didn't improve the situation. I can only detect some memory leaks probably related to the vulnerability. I have opened a bug report on upstream's bug tracker and hope they will have a look at it for 3.100. Regards, Hugo [0] https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/ -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
