Re: libvorbis request for comments

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: debian-lts@lists.debian.org
Subject: Re: libvorbis request for comments
From: Guido Günther <agx@sigxcpu.org>
Date: Wed, 25 Apr 2018 15:18:52 +0200
Message-id: <[🔎] 20180425131852.GA16851@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 874lk7gnrw.fsf@curie.anarc.at>
References: <[🔎] 874lk7gnrw.fsf@curie.anarc.at>

Hi Antoine,
On Thu, Apr 19, 2018 at 12:32:35PM -0400, Antoine Beaupré wrote:
> Hi,
> 
> I have taken a look at the libvorbis issues pending in wheezy (and
> accidentally in jessie) and backported a few patches. The result is
> here, as usual, for testing:
> 
> https://people.debian.org/~anarcat/debian/wheezy-lts/
> 
> Guido: you a lot of work on those issues with upstream, so it would be
> great if you could review the (attached) debdiff. In particular, I
> introduce the vi->channels<=0 check in the code, as the lack of
> vi->channels=>256 check triggers *another* vulnerability. I'm worried
> that adding only vi->channels=>256 would still create an out of bound
> reads or another abnormal condition. Of course, introducing that check
> triggers CVE-2017-14632, so I include the patch for that as well.
> 
> Otherwise, it seems the fix for CVE-2017-11333 is the same as
> CVE-2017-14633, so I have marked that fixed as well.
> 
> Sounds good?

Looks good to me at least. Thanks for picking this up!
 -- Guido

Reply to:

Follow-Ups:
- Re: libvorbis request for comments
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- libvorbis request for comments
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: ruby1.9.1 test packages for wheezy
Next by Date: upload drupal7
Previous by thread: libvorbis request for comments
Next by thread: Re: libvorbis request for comments
Index(es):
- Date
- Thread