Hi, Over the past several weeks, I have been investigating various vulnerabilities in lame[0] which I couldn't reproduce on any Debian system. I have reported them to lame's upstream which claims they are duplicates of other already reported issues, with fixes available in the CVS (couldn't verify it by myself, stack traces are slightly different).
What I tried: - Build with clang < 4.0 and > 4.0 - Rebuild dependencies with different flags - Use valgrind instead of asan (I know this is already out of the LTS scope and I'm not going to count all these hours in my report) In fact I did detect something, but only memory leaks, not the excepted overflows. Even if I couldn't really reproduce these bugs I still think they may be affecting Debian under specific conditions (e.g. build flags of linked libraries...) I briefly though of preparing a wheezy update cherry picking upstream's fixes from the CVS but the diffs are quite big and sometimes adressing several issues at the same time. Not a very good idea. Instead of applying the patches I'd propose to wait for lame 3.100 which I could backport to stretch, jessie and wheezy if the security team thinks it's a good idea. Otherwise we could simply mark these issues no-dsa because I have already spent way too much time on them. If some of you are interested in trying to reproduce them, this would be helpful because I may be doing something wrong. Regards, Hugo [0] https://security-tracker.debian.org/tracker/source-package/lame -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
