Re: [codec] AD Evaluation of draft-ietf-codec-opus-update-07

Ben Campbell <ben@nostrum.com> Wed, 26 July 2017 20:22 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: codec@ietfa.amsl.com
Delivered-To: codec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A31F213146C; Wed, 26 Jul 2017 13:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.881
X-Spam-Level:
X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rqlvu7mNTbF0; Wed, 26 Jul 2017 13:22:48 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDBDC12EC46; Wed, 26 Jul 2017 13:22:47 -0700 (PDT)
Received: from [10.0.1.63] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v6QKMkth065949 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 26 Jul 2017 15:22:47 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.63]
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <747d9352-f3b0-56cd-0b2c-9945ba764178@jmvalin.ca>
Date: Wed, 26 Jul 2017 15:22:45 -0500
Cc: draft-ietf-codec-opus-update.all@ietf.org, codec@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <1B21E198-2219-4831-861A-2F8939D3BD8D@nostrum.com>
References: <44ADD827-E40E-4BBE-91DB-EFFC249AA10E@nostrum.com> <3e689239-f217-2185-96e2-c6ae35b4d0f3@jmvalin.ca> <15358143-0339-4B75-A5FD-010D465DA603@nostrum.com> <747d9352-f3b0-56cd-0b2c-9945ba764178@jmvalin.ca>
To: Jean-Marc Valin <jmvalin@jmvalin.ca>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/codec/Ihp3pt2evcdWFU17zWh8SrJasx0>
Subject: Re: [codec] AD Evaluation of draft-ietf-codec-opus-update-07
X-BeenThere: codec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec WG <codec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/codec>, <mailto:codec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/codec/>
List-Post: <mailto:codec@ietf.org>
List-Help: <mailto:codec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/codec>, <mailto:codec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 20:22:50 -0000

Thanks! I requested IETF Last Call of version 08.

Ben.

> On Jul 26, 2017, at 12:09 AM, Jean-Marc Valin <jmvalin@jmvalin.ca> wrote:
> 
> Just submitted version -08 addressing your last set of comments. See
> below for details.
> 
> On 26/07/17 12:41 AM, Ben Campbell wrote:
>> I suggest adding a sentence to the effect of the following after “…
>> associated text description.”:
>> 
>> "That RFC includes the reference decoder implementation as Appendix
>> A."
> 
> Done.
> 
>>> This document fixes two security issues reported on Opus and that 
>>> affect the reference implementation in RFC 6716 [RFC6716]: CVE- 
>>> 2013-0899 and CVE-2017-0381.  CVE-2013-0899 is fixed by Section 4
>>> and could theoretically cause information leak, but the leaked 
>>> information would at the very least go through the decoder process 
>>> before being accessible to the attacker.  Also, the bug can only
>>> be triggered by Opus packets at least 24 MB in size.  CVE-2017-0381
>>> is fixed by Section 7 as far as the authors are aware, could not
>>> be
>> 
>> Is there a missing word? It’s not clear if you mean to say that as
>> far as the authors are aware it is fixed, or as far as the authors
>> are aware it could not be exploited.
> 
> There was indeed a missing "and":
> 
>  CVE-2017-0381 is fixed by Section 7 and, as far as the authors
>  are aware, could not be exploited in any way...
> 
>> Can you add some context about the CVEs, such as where they are
>> reported and where they can be found?
> 
> Added links to the CVEs
> 
>> So, as I looked at the XML diff, I realize the emphasis is added
>> using XML tags rather than by hand entering the underscores. So I may
>> have been incorrect to say they have no meaning in the context of an
>> RFC :-)   I think the text is still better without them, but do not
>> have strong feelings if you prefer to keep them.
> 
> I agree that the underscores weren't adding much, so I'm leaving them out.
> 
> Cheers,
> 
> 	Jean-Marc