[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: Handful of libass issues
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2016-10-31 15:11:49
Message-ID: 20161031151149.4waow4btnxoevnax () eldamar ! local
[Download RAW message or body]

Hi

Apologies for the late reply.

On Thu, Oct 27, 2016 at 08:24:24AM -0500, Brandon Perry wrote:
> 
> > On Oct 27, 2016, at 3:39 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > 
> > Hi,
> > 
> > On Tue, Oct 04, 2016 at 10:23:22PM -0400, cve-assign@mitre.org wrote:
> >>> The third is a huge memory allocation leading to a crash that wasn't
> >>> fixed because a good solution is unavailable at the moment.
> >> 
> >> Use CVE-2016-7971.
> > 
> > It looks from the discussion in
> > https://github.com/libass/libass/pull/240 that this issue is disputed
> > to be actually in libass.
> > 
> 
> For context, while the input caused a crash with AFL (not fuzzing
> with ASAN) and it crashes with ASAN, I was unable to reproduce the
> crash with libass externally. I was only able to take up a hug
> amount of memory and take a long time to finish parsing the input.
> 
> I asked if they dev wanted to reject the CVE but got no strong
> response either way, so I decided to not pursue it.

Sure understand that. Currently, still the CVE is associated with libass.

@MITRE CVE team, could you clarify the above? Is it still desired to
have the CVE associated with libass, or shoult it be rejected?

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]