Re: [Cellar] Security considerations: recursive elements
Steve Lhomme <slhomme@matroska.org> Sun, 21 January 2018 17:19 UTC
Return-Path: <slhomme@matroska.org>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 189B31270AB for <cellar@ietfa.amsl.com>; Sun, 21 Jan 2018 09:19:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=matroska-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZ9WQbs3PqYW for <cellar@ietfa.amsl.com>; Sun, 21 Jan 2018 09:19:21 -0800 (PST)
Received: from mail-pg0-x235.google.com (mail-pg0-x235.google.com [IPv6:2607:f8b0:400e:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5E53127023 for <cellar@ietf.org>; Sun, 21 Jan 2018 09:19:20 -0800 (PST)
Received: by mail-pg0-x235.google.com with SMTP id k68so5240334pga.3 for <cellar@ietf.org>; Sun, 21 Jan 2018 09:19:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=matroska-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0PkdHs/6dbECV6mwoNKhzUEL15eRc9sl7YM5m/fWQN4=; b=jYz7XpBZIeCZOMBcDvg4tgNkI43Lex25movVAkM/r+/oDEO9h41iHM6cYQG7Yuq3lN rznqauk0DIWwvvhnf8IO9sWDLwumxmOBYJSpoQChjqGhtuAQQQiNKVzbB+umNrAl5IVg DFSUtaX0LPUI16U9FGgVJWkum1wNIX99f81C5y6h144FMgHQyNQzcgDvsNOhXBBW0qLC +ppp3Qba0FIifK68CokMXS5bCBP++6Cvuj9q1dUTePGfn/z2GejBPr4gxXacFkHKyO5p 2cbUSArC4HEGxf8/bwmtXmJ8BHeudVdNFtGoKYCRVmlomGVGPOF5xK9sm5/kpLA5aBQ7 jidg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0PkdHs/6dbECV6mwoNKhzUEL15eRc9sl7YM5m/fWQN4=; b=ChCI8ZKCtV2Dyh9pFaPAFCf3MiDxv2MUJRsoxSGufEAgy/ZGG+oSnlwMIwszV+flW4 lH5NbcAIWBOU8CS7g4z3jThBENjnUnx3zUncc05T5I9PG0EnGith0Pjcib+6VhubD3YH 4XEB2aKHeGAuPPcaVI6upAhx1frWW7Px2Eey5ji6Bq4KO7w0O+v38GV/i8jRI8oSqBn9 K3OHnVDlDLnCEcEUqy8xkTHDno5colcgy7yE3bBYb/0F9Y5wCnGh6gpTRek8yXCeKAYN lcLBX8fqiZm9f++fiXfq2DRr3J2aGsiG+Fq5hviXxAXFskysr4NxRgtftS1LgrB8WSIy YQ+Q==
X-Gm-Message-State: AKwxytf0kTKMzXeHgokugf8Dp1jzHsFheXzP8mb9aeX++D6WCL9iw6g6 hFgRHeCc/cQMW9WjkouZBeNGor8FHJnI5FQO+wxdEg==
X-Google-Smtp-Source: AH8x226E71E0jtp2L+8J7C4258O9I1xpNxmJcSiiP96eUOQ2I3waOlEwvCiSUGnWMC9BNfNkdqPatiqoyFCKMq/9XYw=
X-Received: by 10.99.147.21 with SMTP id b21mr4860603pge.318.1516555160417; Sun, 21 Jan 2018 09:19:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.189.150 with HTTP; Sun, 21 Jan 2018 09:19:20 -0800 (PST)
In-Reply-To: <20180117223156.GD3493@michaelspb>
References: <CAHUoETL6+2XokNy5skB7dzjuzowoL8kV9gNLgd6HeJYiZcXpOQ@mail.gmail.com> <20180117223156.GD3493@michaelspb>
From: Steve Lhomme <slhomme@matroska.org>
Date: Sun, 21 Jan 2018 18:19:20 +0100
Message-ID: <CAOXsMFKcthSiyNFUGvRFhPvBd7fofHHT=J_n33GA=KyfWSitrg@mail.gmail.com>
To: Michael Niedermayer <michael@niedermayer.cc>
Cc: Codec Encoding for LossLess Archiving and Realtime transmission <cellar@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/6IJjbnhxT1_udmCvQ1kHEhxtA0I>
Subject: Re: [Cellar] Security considerations: recursive elements
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jan 2018 17:19:23 -0000
2018-01-17 23:31 GMT+01:00 Michael Niedermayer <michael@niedermayer.cc>: > On Wed, Jan 17, 2018 at 12:33:17PM -0800, Michael Bradshaw wrote: >> The EBML and Matroska specs currently don't mention the possibility of a >> stack overflow due to deeply nested recursive elements. Currently, there's >> no limit on the recursion depth (unless I've overlooked it somewhere). >> >> I think it would be worth adding to the security section of EBML that one >> type of attack on an EBML Reader could include deep element recursion. >> > >> Additionally, I would like to see what people think about potentially >> adding/suggesting an upper limit on recursion (either as a MUST or a MAY). >> This could also include a lower limit too. For example, something like "a >> parser SHOULD handle recursion up to X levels deep, and MAY abort the parse >> if it reaches Y levels deep". > > If a limit is specified then theres a limit that every compliant parser > must support and which a compliant muxer can use. IMO it should be per-file and not mandatory (ie no default max). > If no such limit is specified then it is possible that in a system where > all parts are specification compliant and otherwise compatible it doesnt work. > > So I think its more a question about what/when compatibility is guranteed > / what compatibility we want the specification to gurantee > from that it follows if we need a limit in the specification/draft or not IMO it should be left to the parser to know what to do. The thing it knows is that there's something wrong with the depth of the file and may decide not to go deeper than the limit or issue a warning to the user or ask if the extra parsing should be done. All the specs have to say is that the maximum depth indicate the EBML depth the file should not go further from. Emphasis on the SHOULD. > [...] > > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > If a bugfix only changes things apparently unrelated to the bug with no > further explanation, that is a good sign that the bugfix is wrong. > > _______________________________________________ > Cellar mailing list > Cellar@ietf.org > https://www.ietf.org/mailman/listinfo/cellar > -- Steve Lhomme Matroska association Chairman
- Re: [Cellar] Security considerations: recursive e… Ashley Blewer
- [Cellar] Security considerations: recursive eleme… Michael Bradshaw
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Jerome Martinez
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Michael Niedermayer
- Re: [Cellar] Security considerations: recursive e… Michael Bradshaw
- Re: [Cellar] Security considerations: recursive e… Jerome Martinez
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Reto Kromer
- Re: [Cellar] Security considerations: recursive e… Dave Rice
- Re: [Cellar] Security considerations: recursive e… Peter B.
- Re: [Cellar] Security considerations: recursive e… Michael Bradshaw
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Steve Lhomme
- Re: [Cellar] Security considerations: recursive e… Luca Barbato
- Re: [Cellar] Security considerations: recursive e… hubblec4