Re: libvorbis request for comments
Hi Antoine,
On Thu, Apr 19, 2018 at 12:32:35PM -0400, Antoine Beaupré wrote:
> Hi,
>
> I have taken a look at the libvorbis issues pending in wheezy (and
> accidentally in jessie) and backported a few patches. The result is
> here, as usual, for testing:
>
> https://people.debian.org/~anarcat/debian/wheezy-lts/
>
> Guido: you a lot of work on those issues with upstream, so it would be
> great if you could review the (attached) debdiff. In particular, I
> introduce the vi->channels<=0 check in the code, as the lack of
> vi->channels=>256 check triggers *another* vulnerability. I'm worried
> that adding only vi->channels=>256 would still create an out of bound
> reads or another abnormal condition. Of course, introducing that check
> triggers CVE-2017-14632, so I include the patch for that as well.
>
> Otherwise, it seems the fix for CVE-2017-11333 is the same as
> CVE-2017-14633, so I have marked that fixed as well.
>
> Sounds good?
Looks good to me at least. Thanks for picking this up!
-- Guido
Reply to: