Hi Salvatore, On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote: > Hi > > On Sun, Oct 01, 2017 at 12:07:11AM +0200, Guido Günther wrote: > > > and I'll check with Salvatore if it's appropriate to inform oss-security > > once we got a new CVE for mp3splt. > > Thanks for detailed response (and the patch)! > > -- Guido > > > > > > > > > > > Thanks for catching my misattribution of the CVE number there, I'll > > > fix that in the changelog for the next release to avoid future > > > confusion. Just let me know if I should (also?) note it as something > > > other than CVE-2017-11735 if a new report is issued instead of just > > > updating the existing one. > > FTR, CVE-2017-11735 was REJECTED, and futhermore CVE-2017-15185 was > specifically assigned for the mp3splt issue. Cf. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15185
Yept. I've already updated the tracker regarding libvorbis this morning. IIRC all versions of mp3splt are affected but I can check later this week. Thanks for following up tne the ML (which I forgot). I also got feedback regarding the other libvorbis issues and there should be reproducers for all the current CVEs now. Cheers, -- Guido
