[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)

Hi Salvatore,
On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> On Sun, Oct 01, 2017 at 12:07:11AM +0200, Guido Günther wrote:
> 
> > and I'll check with Salvatore if it's appropriate to inform oss-security
> > once we got a new CVE for mp3splt.
> > Thanks for detailed response (and the patch)!
> >  -- Guido
> > 
> > > 
> > > 
> > > Thanks for catching my misattribution of the CVE number there, I'll
> > > fix that in the changelog for the next release to avoid future
> > > confusion.  Just let me know if I should (also?) note it as something
> > > other than CVE-2017-11735 if a new report is issued instead of just
> > > updating the existing one.
> 
> FTR, CVE-2017-11735 was REJECTED, and futhermore CVE-2017-15185 was
> specifically assigned for the mp3splt issue. Cf.
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15185

Yept. I've already updated the tracker regarding libvorbis this
morning. IIRC all versions of mp3splt are affected but I can check later
this week. Thanks for following up tne the ML (which I forgot).

I also got feedback regarding the other libvorbis issues and there
should be reproducers for all the current CVEs now.

Cheers,
 -- Guido
Reply to: