CVE-2017-11735 in mp3split / libvorbis

To: ron@debian.org, team@security.debian.org
Cc: debian-lts@lists.debian.org
Subject: CVE-2017-11735 in mp3split / libvorbis
From: Guido Günther <agx@sigxcpu.org>
Date: Sat, 30 Sep 2017 20:17:50 +0200
Message-id: <[🔎] 20170930181750.mmylgw5bld4c2bpo@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, ron@debian.org, team@security.debian.org, debian-lts@lists.debian.org

Hi Ron,
Looking at

    https://anonscm.debian.org/cgit/users/ron/mp3splt.git/commit/?id=18f018cd774cb931116ce06a520dc0c5f9443932

do you really mean CVE-2017-11333¹? Isn't this CVE-2017-11735²? Both where
reported in the same message. I can confirm that this fixes
CVE-2017-11735 for me.

Security team, if the CVE is in mp3splt not libvorbis do we need to give
back the CVE and request a new one? Is doing this via

    https://cveform.mitre.org/

The right thing?

Cheers,
 -- Guido

¹) https://security-tracker.debian.org/tracker/CVE-2017-11333
²) https://security-tracker.debian.org/tracker/CVE-2017-11735

Reply to:

Follow-Ups:
- Re: CVE-2017-11735 in mp3split / libvorbis
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: CVE-2017-11735 in mp3split / libvorbis
  - From: Ron <ron@debian.org>

Prev by Date: Re: <ignored> for LTS
Next by Date: Re: Fwd: Re: [Ticket#2017092834000757] Bug#876462: otrs2: CVE-2017-14635: Code Injection / Privilege Escalation OTRS
Previous by thread: Re: <ignored> for LTS
Next by thread: Re: CVE-2017-11735 in mp3split / libvorbis
Index(es):
- Date
- Thread