Hi Raphael, thank you very much for asking! In fact, I was about to start trying to work on this. But the fact that ASAN, which I have no experience with yet, is required to reproduce the vulnerabilities does not really help. :/ Also, upstream has already been made aware of the vulnerabilities, but I consider it very unlikely that the issues will be fixed there. The discussion has so far only lead to considering replacement of the internal mpeglib code with linking with mpeg123 which does not really help here: https://sourceforge.net/p/lame/mailman/message/35918740/ Am Dienstag, den 11.07.2017, 14:31 +0200 schrieb Raphael Hertzog: > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: I woulnd't mind if someone else started working on this. Quite the contrary, I would be grateful. Nevertheless, I will probably try to get behind these issues myself and hope that our efforts don't clash. Maybe we'll end up with similar solutions at the end of the day. ;) Cheers, - Fabian
Attachment:
signature.asc
Description: This is a digitally signed message part