Re: Wheezy update for libass ?

I had a quick look at libass today regarding CVE-2016-7971.

When I read the discussion thread about this issue it looks like the problem is not only disputed upstream, but actually disputed by the person reporting the issue. Or rather the person reporting the issue has carified that the problem is not in libass but rather in the application using libass.

So if you do not mind I think we should both claim that the libass is not vulnerable and also close #840338.

If I do not hear an objection about this I will do so.

Best regards

// Ola

On 12 October 2016 at 11:13, Sebastian Ramacher <sramacher@debian.org> wrote:

Hi

On 2016-10-12 00:13:30, Markus Koschany wrote:
> On 09.10.2016 23:36, Hugo Lefeuvre wrote:
> > Hello dear maintainer(s),
> >
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of libass:
> > https://security-tracker.debian.org/tracker/source-package/libass
> >
> > Would you like to take care of this yourself?
>
> [...]
>
> Hello,
>
> I have prepared a security update for libass in Wheezy but I think the
> patches can be reused for Jessie as well. I have also marked
> CVE-2016-7970 as fixed in Wheezy and it looks to me this also applies to
> Jessie. I'd be glad if you could take a look at the debdiff (attached)
> and tell me what you think about CVE-2016-7970 and CVE-2016-7971 which
> appears to be unfixed, even disputed upstream.

I have not had the time to look at the CVEs in jessie yet, so I cannot say
anothing regarding the patches for jessie and less so for wheezy.

Cheers
--
Sebastian Ramacher

--- Inguza Technology AB --- MSc in Information Technology ----

/ ola@inguza.com Folkebogatan 26 \

| opal@debian.org 654 68 KARLSTAD |

| http://inguza.com/ Mobile: +46 (0)70-332 1551 |

\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /

---------------------------------------------------------------