[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libvorbis request for comments

On 2018-04-25 15:18:52, Guido Günther wrote:
> Hi Antoine,
> On Thu, Apr 19, 2018 at 12:32:35PM -0400, Antoine Beaupré wrote:
>> Hi,
>> 
>> I have taken a look at the libvorbis issues pending in wheezy (and
>> accidentally in jessie) and backported a few patches. The result is
>> here, as usual, for testing:
>> 
>> https://people.debian.org/~anarcat/debian/wheezy-lts/
>> 
>> Guido: you a lot of work on those issues with upstream, so it would be
>> great if you could review the (attached) debdiff. In particular, I
>> introduce the vi->channels<=0 check in the code, as the lack of
>> vi->channels=>256 check triggers *another* vulnerability. I'm worried
>> that adding only vi->channels=>256 would still create an out of bound
>> reads or another abnormal condition. Of course, introducing that check
>> triggers CVE-2017-14632, so I include the patch for that as well.
>> 
>> Otherwise, it seems the fix for CVE-2017-11333 is the same as
>> CVE-2017-14633, so I have marked that fixed as well.
>> 
>> Sounds good?
>
> Looks good to me at least. Thanks for picking this up!

Thanks, uploaded.

-- 
Cyberspace. A consensual hallucination experienced daily by billions
of legitimate operators, in every nation, by children being taught
mathematical concepts...
                       - William Gibson
Reply to: