Re: Bug#851612: CVE-2017-0381

To: Julien Cristau <jcristau@debian.org>, Ron <ron@debian.org>
Cc: Salvatore Bonaccorso <carnil@debian.org>, 851612@bugs.debian.org, Debian Security Team <team@security.debian.org>, debian-release@lists.debian.org
Subject: Re: Bug#851612: CVE-2017-0381
From: Jean-Marc Valin <jmvalin@jmvalin.ca>
Date: Mon, 6 Feb 2017 15:00:53 -0500
Message-id: <[🔎] 81738244-e532-3851-dae2-1ea4dfe3a395@jmvalin.ca>
In-reply-to: <[🔎] 20170206194501.z2s6anbchuukr36s@betterave.cristau.org>
References: <d6fd1001-cfc7-882f-7d7b-7147e9b18c1f@jmvalin.ca> <20170129153959.h6nyf3ysqt27r2h6@eldamar.local> <20170131050213.GU7275@hex.shelbyville.oz> <[🔎] 20170206194501.z2s6anbchuukr36s@betterave.cristau.org>

On 06/02/17 02:45 PM, Julien Cristau wrote:
> On Tue, Jan 31, 2017 at 15:32:13 +1030, Ron wrote:
> 
>> I've CC'd -release, to see what they'd prefer we do for Jessie.
>> It might be that the best option here is to just put something later
>> in -bpo, and if people are paranoid, they can choose to use that?
>>
> I'd prefer to review patches rather than walls of text that refer to
> changes in the abstract, since that makes it easier to know what you're
> talking about.  But based on what I've read it doesn't sound like jessie
> needs an update?

This is the commit (along with the analysis):
https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b

That being said, the change itself will not help you much unless you
pull out the full source, since the illegal read occurs in a different file.

Cheers,

	Jean-Marc

Reply to:

References:
- Re: Bug#851612: CVE-2017-0381
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Processed: Re: Bug#854358: unblock: dgit/3.10
Next by Date: Bug#854415: unblock: ndisc6/1.0.3-3
Previous by thread: Re: Bug#851612: CVE-2017-0381
Next by thread: Re: Bug#851612: CVE-2017-0381
Index(es):
- Date
- Thread