Re: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)
Hi,
On Tue, Oct 10, 2017 at 03:30:53PM +1030, Ron wrote:
> On Mon, Oct 09, 2017 at 09:56:01PM +0200, Guido Günther wrote:
> > Hi Salvatore,
> > On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote:
> > > Hi
> > >
> > > On Sun, Oct 01, 2017 at 12:07:11AM +0200, Guido Günther wrote:
> > >
> > > > and I'll check with Salvatore if it's appropriate to inform oss-security
> > > > once we got a new CVE for mp3splt.
> > > > Thanks for detailed response (and the patch)!
> > > > -- Guido
> > > >
> > > > >
> > > > >
> > > > > Thanks for catching my misattribution of the CVE number there, I'll
> > > > > fix that in the changelog for the next release to avoid future
> > > > > confusion. Just let me know if I should (also?) note it as something
> > > > > other than CVE-2017-11735 if a new report is issued instead of just
> > > > > updating the existing one.
> > >
> > > FTR, CVE-2017-11735 was REJECTED, and futhermore CVE-2017-15185 was
> > > specifically assigned for the mp3splt issue. Cf.
> > >
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15185
> >
> > Yept. I've already updated the tracker regarding libvorbis this
> > morning. IIRC all versions of mp3splt are affected but I can check later
> > this week. Thanks for following up tne the ML (which I forgot).
>
> I assume you meant "all versions prior to 2.6.2+20170630-2"? That one
> includes the patch from git and has migrated to testing. But yes all
Yes. Sorry for being unclear. Salvatore marked it in the tracker
accordingly already.
Cheers,
-- Guido
> the current stable release versions would have this bug (and the
> reproducer test isn't guaranteed to always explode, it all depends on
> what is actually in the uninitialised memory returned by malloc).
>
> I've pushed updates to git noting the correct CVE numbers in the
> changelog, but that's not in any upload yet.
>
> Cheers,
> Ron
>
>
Reply to: