[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: Handful of libass issues
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2016-10-31 15:11:49
Message-ID: 20161031151149.4waow4btnxoevnax () eldamar ! local
[Download RAW message or body]
Hi
Apologies for the late reply.
On Thu, Oct 27, 2016 at 08:24:24AM -0500, Brandon Perry wrote:
>
> > On Oct 27, 2016, at 3:39 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> >
> > Hi,
> >
> > On Tue, Oct 04, 2016 at 10:23:22PM -0400, cve-assign@mitre.org wrote:
> >>> The third is a huge memory allocation leading to a crash that wasn't
> >>> fixed because a good solution is unavailable at the moment.
> >>
> >> Use CVE-2016-7971.
> >
> > It looks from the discussion in
> > https://github.com/libass/libass/pull/240 that this issue is disputed
> > to be actually in libass.
> >
>
> For context, while the input caused a crash with AFL (not fuzzing
> with ASAN) and it crashes with ASAN, I was unable to reproduce the
> crash with libass externally. I was only able to take up a hug
> amount of memory and take a long time to finish parsing the input.
>
> I asked if they dev wanted to reject the CVE but got no strong
> response either way, so I decided to not pursue it.
Sure understand that. Currently, still the CVE is associated with libass.
@MITRE CVE team, could you clarify the above? Is it still desired to
have the CVE associated with libass, or shoult it be rejected?
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic