Hi Brian,
my two cents
> - CVE-2019-1010315: divide by zero
This can only be used to trigger DoS, I don't think it is relevant in the
case of wavpack. I would triage it no-dsa.
> - CVE-2019-1010317: use of uninitialized memory.
> - CVE-2019-1010319: use of uninitialized memory.
>
> All three issues have been marked no-DSA by the security team. Does that
> mean we should do the same thing?
I didn't have a very detailed look at these two, but in general this kind
of issues are hard to exploit. Getting rce with these seems unlikely to me,
but I am not a skilled attacker. I guess this is why the security team
triaged them no-dsa.
Now, the patches seem fairly easy to review and there's little potential
for regressions. So, in the LTS case, I'd take a closer look at them and
probably mark them postponed. If we've got time, we can maybe ship these
patches in a future update.
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature