Re: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)
On Mon, Oct 09, 2017 at 09:56:01PM +0200, Guido Günther wrote:
> Hi Salvatore,
> On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote:
> > Hi
> >
> > On Sun, Oct 01, 2017 at 12:07:11AM +0200, Guido Günther wrote:
> >
> > > and I'll check with Salvatore if it's appropriate to inform oss-security
> > > once we got a new CVE for mp3splt.
> > > Thanks for detailed response (and the patch)!
> > > -- Guido
> > >
> > > >
> > > >
> > > > Thanks for catching my misattribution of the CVE number there, I'll
> > > > fix that in the changelog for the next release to avoid future
> > > > confusion. Just let me know if I should (also?) note it as something
> > > > other than CVE-2017-11735 if a new report is issued instead of just
> > > > updating the existing one.
> >
> > FTR, CVE-2017-11735 was REJECTED, and futhermore CVE-2017-15185 was
> > specifically assigned for the mp3splt issue. Cf.
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15185
>
> Yept. I've already updated the tracker regarding libvorbis this
> morning. IIRC all versions of mp3splt are affected but I can check later
> this week. Thanks for following up tne the ML (which I forgot).
I assume you meant "all versions prior to 2.6.2+20170630-2"? That one
includes the patch from git and has migrated to testing. But yes all
the current stable release versions would have this bug (and the
reproducer test isn't guaranteed to always explode, it all depends on
what is actually in the uninitialised memory returned by malloc).
I've pushed updates to git noting the correct CVE numbers in the
changelog, but that's not in any upload yet.
Cheers,
Ron
Reply to: