Re: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)
On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote:
> On Sun, Oct 01, 2017 at 12:07:11AM +0200, Guido Günther wrote:
> > and I'll check with Salvatore if it's appropriate to inform oss-security
> > once we got a new CVE for mp3splt.
> > Thanks for detailed response (and the patch)!
> > -- Guido
> > >
> > >
> > > Thanks for catching my misattribution of the CVE number there, I'll
> > > fix that in the changelog for the next release to avoid future
> > > confusion. Just let me know if I should (also?) note it as something
> > > other than CVE-2017-11735 if a new report is issued instead of just
> > > updating the existing one.
> FTR, CVE-2017-11735 was REJECTED, and futhermore CVE-2017-15185 was
> specifically assigned for the mp3splt issue. Cf.
Yept. I've already updated the tracker regarding libvorbis this
morning. IIRC all versions of mp3splt are affected but I can check later
this week. Thanks for following up tne the ML (which I forgot).
I also got feedback regarding the other libvorbis issues and there
should be reproducers for all the current CVEs now.