Re: [secdir] SecDir Last Call Review of draft-ietf-codec-opus-update-08
Jean-Marc Valin <jmvalin@jmvalin.ca> Mon, 14 August 2017 20:45 UTC
Return-Path: <jmvalin@jmvalin.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A22A0132427 for <secdir@ietfa.amsl.com>; Mon, 14 Aug 2017 13:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jmvalin-ca.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sSnSCNOKmTUm for <secdir@ietfa.amsl.com>; Mon, 14 Aug 2017 13:45:38 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02B90126E64 for <secdir@ietf.org>; Mon, 14 Aug 2017 13:45:37 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id 76so1331210ith.0 for <secdir@ietf.org>; Mon, 14 Aug 2017 13:45:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jmvalin-ca.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=SuSAttQ1xG8GwF2Et0dPekxFxNYUIxqw0jxlLyjkL/0=; b=MKZEgKLSRLv7VT4t/kRlsBSBwKXbrQQTdHquFuvD2EQnWyxvJ+XJzrfmR8zR5nSI2c 3zSzEowa8CiEaWvtxxfYqEolFoKDVuXW5G0tXIRyZYrKj4Lfl5PACIa3HBBVq5Rh+t2P pWxqcGsw8PX4tqkqB0ABAGJGGLKdaOMpC8KuljIiQOb43FWkZF93ehEd9KRO4yiuOjkt fCxodlUQ2QUbH78S28mv2LbIK+5p2D3xi0pYFoLCe62/Ji5yirRkTja7WL9ynarHirPb lDge0uDuJyHePosJANPHqxHXmHnAF/ewQCjFjl/yjjQFralnMiLx9HARZh8PFwKU39PA 8TOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=SuSAttQ1xG8GwF2Et0dPekxFxNYUIxqw0jxlLyjkL/0=; b=Bv013RUo38V7Q+y6A4p8XMqnIeMz7Gh0apn6rutlIW1VHf0s4lWFPafd1OuWMMEr1g NQ8tkFsiEza+oEZkn+Mlyvh6TCRT+jSCKZQH4DDR3h/qZVuauCZqFPFb0TKsmK9cVFJS V0E9YEassVgVUbMpnlmecYuHwi+4GMGcJfZf01db/dEYJIJrE8GpSNomt8WDjATvobYp 27VvHKvC6ypB6gp89qLXF2PKJel3GJhmz4QQif/Vu3pTYlyg1ZeMMsd1wDZw04J0GRcN 1q8h238Wy2y7HqJ5UV6W1qMLh3c9AV9L4/6aIBmlAZ8lWcjhomo0k0JI47El9qF7++YS sRBw==
X-Gm-Message-State: AHYfb5jeLXLK5pnA3a5WrM5p7nZobqKgrDAL8TjNE2GyZxfogIzyiBLE NxuGi3Z1Uft3d3iW
X-Received: by 10.36.77.134 with SMTP id l128mr221978itb.44.1502743537218; Mon, 14 Aug 2017 13:45:37 -0700 (PDT)
Received: from panoramix.jmvalin.ca (modemcable067.31-56-74.mc.videotron.ca. [74.56.31.67]) by smtp.gmail.com with ESMTPSA id h76sm3944894ioe.28.2017.08.14.13.45.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Aug 2017 13:45:36 -0700 (PDT)
To: Steve.Hanna@infineon.com, iesg@ietf.org, secdir@ietf.org, draft-ietf-codec-opus-update.all@ietf.org
References: <d86f35424f95417d8298e4a5fdf9fef7@MUCSE609.infineon.com>
From: Jean-Marc Valin <jmvalin@jmvalin.ca>
Message-ID: <efefa1e7-9055-1bb8-3200-a1ab66d05211@jmvalin.ca>
Date: Mon, 14 Aug 2017 16:45:34 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <d86f35424f95417d8298e4a5fdf9fef7@MUCSE609.infineon.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/CvJHYDdmUeryxMMmNU-7AudFvNk>
Subject: Re: [secdir] SecDir Last Call Review of draft-ietf-codec-opus-update-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 20:45:41 -0000
Hi Steve, Thanks for the review and useful comments. See below. On 11/08/17 09:38 AM, Steve.Hanna@infineon.com wrote: > 1) In section 5, the third problem with the SILK resampler involves a > possible buffer overrun. This bug looks like to me like it could result > in unauthorized writes to the stack beyond the end of the buffer. These > writes could be used for return-oriented programming, to modify > variables stored in the stack, or even to execute arbitrary code. The > draft says that “the code never produced any error in testing” and > “suggests that in practice […] none of the issues above was ever a > problem.” Many security vulnerabilities do not produce any errors in > testing but lead to serious security problems. Unless the authors can > prove that the bug is harmless, they should not minimize its potential > impact. Therefore, I suggest that this language in the draft be changed > to avoid minimizing the impact of the bug in any way. Rather, the draft > should warn that a buffer overrun permitting writes into the stack is a > dangerous vulnerability that can in some cases lead to arbitrary code > execution, although the authors are not aware at this time of any > successful exploits. Minimizing the impact of the bug may discourage > readers from rapidly deploying the fix or adopting other countermeasures. So I spent some time to evaluate the consequences of the problem and came to the conclusion that no out-of-bounds read or write is possible. That's because the buffers involved (buf and S->sFIR) are actually larger than they needed to be for the code to work. So the extra bytes copied do not overrun any of the buffers. I'll update the text to state to make it clear that the bug is harmless. It's still good to fix it because it *does* look a bit scary until you've done the full analysis. > 2) Section 7 discusses and fixes the CVE-2017-0381 vulnerability. > Although the CVE description says that “A remote code execution > vulnerability in silk/NLSF_stabilize.c in libopus in Mediaserver could > enable an attacker using a specially crafted file to cause memory > corruption during media file and data processing.”, subsequent analysis > by many parties (e.g., > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851612#10) indicates > that this vulnerability cannot lead to remote code execution. Rather, it > can only result in an illegal read access to the stack. That’s not good > but it’s not nearly as bad as remote code execution. The draft correctly > states that “The end result of the wrap-around is an illegal read access > on the stack”. The text in the CVE description should be corrected, if > possible. I tried getting the CVE corrected at the time, but didn't get far aside from having the severity lowered slightly. It's worth noting that the CVE came in about 6 months after the bug was fixed. > 3) Section 12 says that “CVE-2017-0381 […] could not be exploited in any > way (despite the claims in the CVE), unless the read-only table was > somehow placed very close to sensitive data, which is highly unlikely.” > Those who write library code don’t control the placement of input > parameters such as buffers. That’s especially true for open source > reference code that may be adapted in almost any way. Therefore, the > statement that the CVE could not be exploited in any way seems to be a > stretch. Rather, it would be better to warn about the worst possible > risks of the bug than to minimize its impact. Still, there would be some > benefit in explaining that community analysis of this vulnerability has > not supported the claim in the CVE that it enables remote code execution. Here's the revised text I would suggest: "CVE-2017-0381 is fixed by Section 7 and can only result in a 16-bit out-of-bounds read to a fixed location 256 bytes before a constant table. That location would normally be part of an executable's read-only data segment, but if that is not the case, the bug could at worst results in either a crash or the leakage of 16 bits of information from that fixed memory location (if the attacker has access to the decoded output). Despite the claims of the CVE, the bug cannot results in arbitrary code execution." > Also, here are a few nits: > > * At the end of section 1, the text “has a SHA1” should be “has a SHA-1 > hash of”. > > * In section 10 at the end of the first paragraph, “artefacts” should be > “artifacts”. > > * In section 11 just before the hexadecimal values, “SHA1 hash” should > be “SHA-1 hashes”. > > * In section 12, “theoretically cause information leak” should be > “theoretically cause an information leak”. This text is split by a line > break so search for “information leak”. Will fix as suggested. Cheers, Jean-Marc
- [secdir] SecDir Last Call Review of draft-ietf-co… Steve.Hanna
- Re: [secdir] SecDir Last Call Review of draft-iet… Jean-Marc Valin
- Re: [secdir] SecDir Last Call Review of draft-iet… Steve.Hanna