Re: [codec] AD Evaluation of draft-ietf-codec-opus-update-07
Ben Campbell <ben@nostrum.com> Wed, 26 July 2017 20:22 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: codec@ietfa.amsl.com
Delivered-To: codec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A31F213146C; Wed, 26 Jul 2017 13:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.881
X-Spam-Level:
X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rqlvu7mNTbF0; Wed, 26 Jul 2017 13:22:48 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDBDC12EC46; Wed, 26 Jul 2017 13:22:47 -0700 (PDT)
Received: from [10.0.1.63] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v6QKMkth065949 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 26 Jul 2017 15:22:47 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.63]
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <747d9352-f3b0-56cd-0b2c-9945ba764178@jmvalin.ca>
Date: Wed, 26 Jul 2017 15:22:45 -0500
Cc: draft-ietf-codec-opus-update.all@ietf.org, codec@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <1B21E198-2219-4831-861A-2F8939D3BD8D@nostrum.com>
References: <44ADD827-E40E-4BBE-91DB-EFFC249AA10E@nostrum.com> <3e689239-f217-2185-96e2-c6ae35b4d0f3@jmvalin.ca> <15358143-0339-4B75-A5FD-010D465DA603@nostrum.com> <747d9352-f3b0-56cd-0b2c-9945ba764178@jmvalin.ca>
To: Jean-Marc Valin <jmvalin@jmvalin.ca>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/codec/Ihp3pt2evcdWFU17zWh8SrJasx0>
Subject: Re: [codec] AD Evaluation of draft-ietf-codec-opus-update-07
X-BeenThere: codec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec WG <codec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/codec>, <mailto:codec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/codec/>
List-Post: <mailto:codec@ietf.org>
List-Help: <mailto:codec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/codec>, <mailto:codec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 20:22:50 -0000
Thanks! I requested IETF Last Call of version 08. Ben. > On Jul 26, 2017, at 12:09 AM, Jean-Marc Valin <jmvalin@jmvalin.ca> wrote: > > Just submitted version -08 addressing your last set of comments. See > below for details. > > On 26/07/17 12:41 AM, Ben Campbell wrote: >> I suggest adding a sentence to the effect of the following after “… >> associated text description.”: >> >> "That RFC includes the reference decoder implementation as Appendix >> A." > > Done. > >>> This document fixes two security issues reported on Opus and that >>> affect the reference implementation in RFC 6716 [RFC6716]: CVE- >>> 2013-0899 and CVE-2017-0381. CVE-2013-0899 is fixed by Section 4 >>> and could theoretically cause information leak, but the leaked >>> information would at the very least go through the decoder process >>> before being accessible to the attacker. Also, the bug can only >>> be triggered by Opus packets at least 24 MB in size. CVE-2017-0381 >>> is fixed by Section 7 as far as the authors are aware, could not >>> be >> >> Is there a missing word? It’s not clear if you mean to say that as >> far as the authors are aware it is fixed, or as far as the authors >> are aware it could not be exploited. > > There was indeed a missing "and": > > CVE-2017-0381 is fixed by Section 7 and, as far as the authors > are aware, could not be exploited in any way... > >> Can you add some context about the CVEs, such as where they are >> reported and where they can be found? > > Added links to the CVEs > >> So, as I looked at the XML diff, I realize the emphasis is added >> using XML tags rather than by hand entering the underscores. So I may >> have been incorrect to say they have no meaning in the context of an >> RFC :-) I think the text is still better without them, but do not >> have strong feelings if you prefer to keep them. > > I agree that the underscores weren't adding much, so I'm leaving them out. > > Cheers, > > Jean-Marc
- [codec] AD Evaluation of draft-ietf-codec-opus-up… Ben Campbell
- Re: [codec] AD Evaluation of draft-ietf-codec-opu… Jean-Marc Valin
- Re: [codec] AD Evaluation of draft-ietf-codec-opu… Ben Campbell
- Re: [codec] AD Evaluation of draft-ietf-codec-opu… Jean-Marc Valin
- Re: [codec] AD Evaluation of draft-ietf-codec-opu… Ben Campbell