[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] libass ass_outline.c signed integer overflow
From: "David A. Wheeler" <dwheeler () dwheeler ! com>
Date: 2020-11-19 16:54:07
Message-ID: 861A949F-D5C8-4AE0-829D-E7C2B4F74137 () dwheeler ! com
[Download RAW message or body]
> On Nov 19, 2020, at 12:34 AM, Ian Zimmerman <itz@very.loosely.org> wrote:
>
> On 2020-09-29 08:19, Fstark wrote:
>
>> In `ass_outline_construct`'s call to `outline_stroke` a signed integer
>> overflow happens *(undefined behaviour)*. On my machine signed overflow
>> happens to wrap around to a negative value, thus failing the assert.
>> https://github.com/libass/libass/issues/431
>>
>> https://github.com/libass/libass/pull/432
>
> I have followed the links above, and this seems to be an example of a
> situation where the CVE process has failed. It is still not fixed in
> Debian, possibly for that reason. I'll report a Debian bug today.
I read through the issue discussion. As best as I can tell, no one filed for a CVE, so there was no CVE.
Did I misunderstand something?
If my understanding is correct, that is *NOT* a failure of the CVE process.
--- David A. Wheeler
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic