Hi, On Tue, Oct 10, 2017 at 03:30:53PM +1030, Ron wrote: > On Mon, Oct 09, 2017 at 09:56:01PM +0200, Guido Günther wrote: > > Hi Salvatore, > > On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote: > > > Hi > > > > > > On Sun, Oct 01, 2017 at 12:07:11AM +0200, Guido Günther wrote: > > > > > > > and I'll check with Salvatore if it's appropriate to inform oss-security > > > > once we got a new CVE for mp3splt. > > > > Thanks for detailed response (and the patch)! > > > > -- Guido > > > > > > > > > > > > > > > > > > > Thanks for catching my misattribution of the CVE number there, I'll > > > > > fix that in the changelog for the next release to avoid future > > > > > confusion. Just let me know if I should (also?) note it as something > > > > > other than CVE-2017-11735 if a new report is issued instead of just > > > > > updating the existing one. > > > > > > FTR, CVE-2017-11735 was REJECTED, and futhermore CVE-2017-15185 was > > > specifically assigned for the mp3splt issue. Cf. > > > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15185 > > > > Yept. I've already updated the tracker regarding libvorbis this > > morning. IIRC all versions of mp3splt are affected but I can check later > > this week. Thanks for following up tne the ML (which I forgot). > > I assume you meant "all versions prior to 2.6.2+20170630-2"? That one > includes the patch from git and has migrated to testing. But yes all
Yes. Sorry for being unclear. Salvatore marked it in the tracker accordingly already. Cheers, -- Guido > the current stable release versions would have this bug (and the > reproducer test isn't guaranteed to always explode, it all depends on > what is actually in the uninitialised memory returned by malloc). > > I've pushed updates to git noting the correct CVE numbers in the > changelog, but that's not in any upload yet. > > Cheers, > Ron > >
