Nice finds!
Just a comment about "memory allocation errors". These would not
typically be considered a "vulnerability", unless there's something
obviously wrong with how much memory is allocated and possibly later
used. Allocation errors are in vast majority of cases reported to
end-users of tool/service, and it's considered a correct way of
handling this kind of problems.
Maybe faad could have a config option, like libjpeg what provides,
which limits size of single and total mem allocations, but it seems
optional.
2017-06-27 4:19 GMT+02:00 qflb.wu <qflb...@dbappsecurity.com.cn>:
> Freeware Advanced Audio Decoder 2 (FAAD2) multiple vulnerabilities
>
>
> ================
> Author : qflb.wu
> ===============
>
>
>
>
> Introduction:
> =============
> FAAD2 is a decoder for a lossy sound compression scheme specified in MPEG-2
> Part 7 and MPEG-4 Part 3 standards and known as Advanced Audio Coding (AAC).
>
>
> Affected version:
> =====
> 2.7
>
>
> Vulnerability Description:
> ==========================
> 1.
> the mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(invalid memory read
> and application crash) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_read_stsd_invalid_memory_read.mp4 -o out.wav
>
>
> ASAN:SIGSEGV
> =================================================================
> ==79726==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc
> 0x0000004a8cd5 sp 0x7ffe49bd3c20 bp 0x7ffe49bd3d20 T0)
> #0 0x4a8cd4 in mp4ff_read_stsd
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:386
> #1 0x4a8cd4 in mp4ff_atom_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:671
> #2 0x49e426 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
> #3 0x49b514 in parse_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
> #4 0x49a731 in mp4ff_open_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
> #5 0x47f80f in decodeMP4file
> /home/a/Downloads/faad2-2.7/frontend/main.c:778
> #6 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
> #7 0x7f21554edec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
> #8 0x47cecc in _start
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)
>
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:386 mp4ff_read_stsd
> ==79726==ABORTING
>
>
> POC:
> faad2_2.7_mp4ff_read_stsd_invalid_memory_read.mp4
> CVE:
> CVE-2017-9218
>
>
> 2.
> the mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service (memory allocation
> error and application crash) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_read_stsc_memory_allocation_error.mp4 -o out.wav
>
>
> ==81366==ERROR: AddressSanitizer failed to allocate 0xac003000 (2885693440)
> bytes of LargeMmapAllocator: 12
> ==81366==Process memory map follows:
> 0x000000400000-0x0000004db000/home/a/Downloads/faad2-2.7/frontend/.libs/faad
> 0x0000006db000-0x0000006dc000/home/a/Downloads/faad2-2.7/frontend/.libs/faad
> 0x0000006dc000-0x0000006e1000/home/a/Downloads/faad2-2.7/frontend/.libs/faad
> 0x0000006e1000-0x000001b25000
> 0x00007fff7000-0x00008fff7000
> ...
> ==81366==End of process memory map.
> ==81366========
> #0 0x46cd8f in __asan::AsanCheckFailed(char const*, int, char const*,
> unsigned long long, unsigned long long)
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x46cd8f)
> #1 0x4725f1 in __sanitizer::CheckFailed(char const*, int, char const*,
> unsigned long long, unsigned long long)
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x4725f1)
> #2 0x476ebe in __sanitizer::MmapOrDie(unsigned long, char const*)
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x476ebe)
> #3 0x432598 in
> __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*,
> unsigned long, unsigned long)
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x432598)
> #4 0x42e5db in __asan::Allocate(unsigned long, unsigned long,
> __sanitizer::StackTrace*, __asan::AllocType, bool)
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x42e5db)
> #5 0x466e26 in __interceptor_malloc
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x466e26)
> #6 0x4aae52 in mp4ff_read_stsc
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:423
> #7 0x4aae52 in mp4ff_atom_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:665
> #8 0x49e426 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
> #9 0x49e386 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
> #10 0x49e386 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
> #11 0x49e386 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
> #12 0x49e386 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
> #13 0x49b514 in parse_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
> #14 0x49a731 in mp4ff_open_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
> #15 0x47f80f in decodeMP4file
> /home/a/Downloads/faad2-2.7/frontend/main.c:778
> #16 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
> #17 0x7f7260e5cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
> #18 0x47cecc in _start
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)
>
>
> POC:
> faad2_2.7_mp4ff_read_stsc_memory_allocation_error.mp4
> CVE:
> CVE-2017-9219
>
>
> 3.
> the mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service (memory allocation
> error) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_read_stco_memory_allocation_error.mp4 -o out.wav
>
>
> ==81459==WARNING: AddressSanitizer failed to allocate 0xfffffffe18000000 bytes
> ==81459==AddressSanitizer's allocator is terminating the process instead of
> returning 0
> ==81459==If you don't like this behavior set allocator_may_return_null=1
> ==81459==
> #0 0x46cd8f in __asan::AsanCheckFailed(char const*, int, char const*,
> unsigned long long, unsigned long long)
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x46cd8f)
> #1 0x4725f1 in __sanitizer::CheckFailed(char const*, int, char const*,
> unsigned long long, unsigned long long)
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x4725f1)
> #2 0x471330 in __sanitizer::AllocatorReturnNull()
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x471330)
> #3 0x466e26 in __interceptor_malloc
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x466e26)
> #4 0x4aab2f in mp4ff_read_stco
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:448
> #5 0x4aab2f in mp4ff_atom_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:668
> #6 0x49e426 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
> #7 0x49e386 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
> #8 0x49e386 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
> #9 0x49e386 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
> #10 0x49e386 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
> #11 0x49b514 in parse_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
> #12 0x49a731 in mp4ff_open_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
> #13 0x47f80f in decodeMP4file
> /home/a/Downloads/faad2-2.7/frontend/main.c:778
> #14 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
> #15 0x7f3a7dd64ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
> #16 0x47cecc in _start
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)
>
>
> POC:
> faad2_2.7_mp4ff_read_stco_memory_allocation_error.mp4
> CVE:
> CVE-2017-9220
>
>
> 4.
> the mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(invalid memory read
> and application crash) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_read_mdhd_invalid_memory_read.mp4 -o out.wav
>
>
> ASAN:SIGSEGV
> =================================================================
> ==81533==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000009c (pc
> 0x0000004abd74 sp 0x7ffd8d1bb470 bp 0x7ffd8d1bb570 T0)
> #0 0x4abd73 in mp4ff_read_mdhd
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:614
> #1 0x4abd73 in mp4ff_atom_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:677
> #2 0x49e426 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
> #3 0x49e386 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
> #4 0x49b514 in parse_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
> #5 0x49a731 in mp4ff_open_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
> #6 0x47f80f in decodeMP4file
> /home/a/Downloads/faad2-2.7/frontend/main.c:778
> #7 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
> #8 0x7f16f7a77ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
> #9 0x47cecc in _start
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)
>
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:614 mp4ff_read_mdhd
> ==81533==ABORTING
>
>
> POC:
> faad2_2.7_mp4ff_read_mdhd_invalid_memory_read.mp4
> CVE:
> CVE-2017-9221
>
>
> 5.
> the mp4ff_parse_tag function in common/mp4ff/mp4meta.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can to cause a denial of service(infinite loop
> and CPU consumption) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_parse_tag_infinite_loop.mp4 -o out.wav
>
>
> POC:
> faad2_2.7_mp4ff_parse_tag_infinite_loop.mp4
> CVE:
> CVE-2017-9222
>
>
> 6.
> the mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(invalid memory read
> and application crash) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_read_stts_invalid_memory_read.mp4 -o out.wav
>
>
> ASAN:SIGSEGV
> =================================================================
> ==86670==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc
> 0x0000004aa0d1 sp 0x7ffc40cbbb80 bp 0x7ffc40cbbc80 T0)
> #0 0x4aa0d0 in mp4ff_read_stts
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:495
> #1 0x4aa0d0 in mp4ff_atom_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:659
> #2 0x49e426 in parse_sub_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
> #3 0x49b514 in parse_atoms
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
> #4 0x49a731 in mp4ff_open_read
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
> #5 0x47f80f in decodeMP4file
> /home/a/Downloads/faad2-2.7/frontend/main.c:778
> #6 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
> #7 0x7f0f9cfbeec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
> #8 0x47cecc in _start
> (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)
>
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:495 mp4ff_read_stts
> ==86670==ABORTING
>
>
> POC:
> faad2_2.7_mp4ff_read_stts_invalid_memory_read.mp4
> CVE:
> CVE-2017-9223
>
>
> 7.
> the mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(large loop and CPU
> consumption) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_read_stsd_large_loop.mp4 -o out.wav
>
>
> static int32_t mp4ff_read_stsd(mp4ff_t *f)
> {
> int32_t i;
> uint8_t header_size = 0;
>
>
> mp4ff_read_char(f); /* version */
> mp4ff_read_int24(f); /* flags */
>
>
> f->track[f->total_tracks - 1]->stsd_entry_count = mp4ff_read_int32(f);
> <==========
>
>
> for (i = 0; i < f->track[f->total_tracks - 1]->stsd_entry_count; i++)
> <==========
> {
> uint64_t skip = mp4ff_position(f);
> uint64_t size;
> uint8_t atom_type = 0;
> size = mp4ff_atom_read_header(f, &atom_type, &header_size);
> skip += size;
>
>
> if (atom_type == ATOM_MP4A)
> {
> f->track[f->total_tracks - 1]->type = TRACK_AUDIO;
> mp4ff_read_mp4a(f);
> } else if (atom_type == ATOM_MP4V) {
> f->track[f->total_tracks - 1]->type = TRACK_VIDEO;
> } else if (atom_type == ATOM_MP4S) {
> f->track[f->total_tracks - 1]->type = TRACK_SYSTEM;
> } else {
> f->track[f->total_tracks - 1]->type = TRACK_UNKNOWN;
> }
>
>
> mp4ff_set_position(f, skip);
> }
>
>
> return 0;
> }
>
>
> POC:
> faad2_2.7_mp4ff_read_stsd_large_loop.mp4
> CVE:
> CVE-2017-9253
>
>
> 8.
> the mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(large loop and CPU
> consumption) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_read_stts_large_loop.mp4 -o out.wav
>
>
> static int32_t mp4ff_read_stts(mp4ff_t *f)
> {
> int32_t i;
> mp4ff_track_t * p_track = f->track[f->total_tracks - 1];
>
>
> if (p_track->stts_entry_count) return 0;
>
>
> mp4ff_read_char(f); /* version */
> mp4ff_read_int24(f); /* flags */
> p_track->stts_entry_count = mp4ff_read_int32(f); <============
>
>
> p_track->stts_sample_count = (int32_t*)malloc(p_track->stts_entry_count *
> sizeof(int32_t));
> p_track->stts_sample_delta = (int32_t*)malloc(p_track->stts_entry_count *
> sizeof(int32_t));
>
>
> if (p_track->stts_sample_count == 0 || p_track->stts_sample_delta == 0)
> {
> if (p_track->stts_sample_count)
> {free(p_track->stts_sample_count);p_track->stts_sample_count=0;}
> if (p_track->stts_sample_delta)
> {free(p_track->stts_sample_delta);p_track->stts_sample_delta=0;}
> p_track->stts_entry_count = 0;
> return 0;
> }
> else
> {
> for (i = 0; i < f->track[f->total_tracks - 1]->stts_entry_count; i++)
> <===========
> {
> p_track->stts_sample_count[i] = mp4ff_read_int32(f);
> p_track->stts_sample_delta[i] = mp4ff_read_int32(f);
> }
> return 1;
> }
> }
>
>
> POC:
> faad2_2.7_mp4ff_read_stts_large_loop.mp4
> CVE:
> CVE-2017-9254
>
>
> 9.
> the mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(large loop and CPU
> consumption) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_read_stsc_large_loop.mp4 -o out.wav
>
>
> static int32_t mp4ff_read_stsc(mp4ff_t *f)
> {
> int32_t i;
>
>
> mp4ff_read_char(f); /* version */
> mp4ff_read_int24(f); /* flags */
> f->track[f->total_tracks - 1]->stsc_entry_count = mp4ff_read_int32(f);
> <========
>
>
> f->track[f->total_tracks - 1]->stsc_first_chunk =
> (int32_t*)malloc(f->track[f->total_tracks -
> 1]->stsc_entry_count*sizeof(int32_t));
> f->track[f->total_tracks - 1]->stsc_samples_per_chunk =
> (int32_t*)malloc(f->track[f->total_tracks -
> 1]->stsc_entry_count*sizeof(int32_t));
> f->track[f->total_tracks - 1]->stsc_sample_desc_index =
> (int32_t*)malloc(f->track[f->total_tracks -
> 1]->stsc_entry_count*sizeof(int32_t));
>
>
> for (i = 0; i < f->track[f->total_tracks - 1]->stsc_entry_count; i++)
> <========
> {
> f->track[f->total_tracks - 1]->stsc_first_chunk[i] =
> mp4ff_read_int32(f);
> f->track[f->total_tracks - 1]->stsc_samples_per_chunk[i] =
> mp4ff_read_int32(f);
> f->track[f->total_tracks - 1]->stsc_sample_desc_index[i] =
> mp4ff_read_int32(f);
> }
>
>
> return 0;
> }
>
>
> POC:
> faad2_2.7_mp4ff_read_stsc_large_loop.mp4
> CVE:
> CVE-2017-9255
>
>
> 10.
> the mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware Advanced
> Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(large loop and CPU
> consumption) via a crafted mp4 file.
>
>
> ./faad faad2_2.7_mp4ff_read_stco_large_loop.mp4 -o out.wav
>
>
> static int32_t mp4ff_read_stco(mp4ff_t *f)
> {
> int32_t i;
>
>
> mp4ff_read_char(f); /* version */
> mp4ff_read_int24(f); /* flags */
> f->track[f->total_tracks - 1]->stco_entry_count = mp4ff_read_int32(f);
> <========
>
>
> f->track[f->total_tracks - 1]->stco_chunk_offset =
> (int32_t*)malloc(f->track[f->total_tracks -
> 1]->stco_entry_count*sizeof(int32_t));
>
>
> for (i = 0; i < f->track[f->total_tracks - 1]->stco_entry_count; i++)
> <========
> {
> f->track[f->total_tracks - 1]->stco_chunk_offset[i] =
> mp4ff_read_int32(f);
> }
>
>
> return 0;
> }
>
>
> POC:
> faad2_2.7_mp4ff_read_stco_large_loop.mp4
> CVE:
> CVE-2017-9256
>
>
> 11.
> the mp4ff_read_ctts in common/mp4ff/mp4atom.c in Freeware Advanced Audio
> Decoder 2 (FAAD2) 2.7 allows can cause a denial of service(large loop and CPU
> consumption) via a crafted mp4 file.
>
>
> static int32_t mp4ff_read_ctts(mp4ff_t *f)
> {
> int32_t i;
> mp4ff_track_t * p_track = f->track[f->total_tracks - 1]; <========
>
>
> if (p_track->ctts_entry_count) return 0;
>
>
> mp4ff_read_char(f); /* version */
> mp4ff_read_int24(f); /* flags */
> p_track->ctts_entry_count = mp4ff_read_int32(f); <========
>
>
> p_track->ctts_sample_count = (int32_t*)malloc(p_track->ctts_entry_count *
> sizeof(int32_t));
> p_track->ctts_sample_offset = (int32_t*)malloc(p_track->ctts_entry_count
> * sizeof(int32_t));
>
>
> if (p_track->ctts_sample_count == 0 || p_track->ctts_sample_offset == 0)
> {
> if (p_track->ctts_sample_count)
> {free(p_track->ctts_sample_count);p_track->ctts_sample_count=0;}
> if (p_track->ctts_sample_offset)
> {free(p_track->ctts_sample_offset);p_track->ctts_sample_offset=0;}
> p_track->ctts_entry_count = 0;
> return 0;
> }
> else
> {
> for (i = 0; i < f->track[f->total_tracks - 1]->ctts_entry_count; i++)
> <========
> {
> p_track->ctts_sample_count[i] = mp4ff_read_int32(f);
> p_track->ctts_sample_offset[i] = mp4ff_read_int32(f);
> }
> return 1;
> }
> }
>
>
> CVE:
> CVE-2017-9257
>
>
>
>
> ===============================
>
>
>
>
> qflb.wu () dbappsecurity com cn
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
--
Robert Święcki
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
