oss-sec mailing list archives
Re: Re: Handful of libass issues
From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 31 Oct 2016 16:11:49 +0100
Hi Apologies for the late reply. On Thu, Oct 27, 2016 at 08:24:24AM -0500, Brandon Perry wrote:
On Oct 27, 2016, at 3:39 AM, Salvatore Bonaccorso <carnil () debian org> wrote: Hi, On Tue, Oct 04, 2016 at 10:23:22PM -0400, cve-assign () mitre org wrote:The third is a huge memory allocation leading to a crash that wasn't fixed because a good solution is unavailable at the moment.Use CVE-2016-7971.It looks from the discussion in https://github.com/libass/libass/pull/240 that this issue is disputed to be actually in libass.For context, while the input caused a crash with AFL (not fuzzing with ASAN) and it crashes with ASAN, I was unable to reproduce the crash with libass externally. I was only able to take up a hug amount of memory and take a long time to finish parsing the input. I asked if they dev wanted to reject the CVE but got no strong response either way, so I decided to not pursue it.
Sure understand that. Currently, still the CVE is associated with libass. @MITRE CVE team, could you clarify the above? Is it still desired to have the CVE associated with libass, or shoult it be rejected? Regards, Salvatore
Current thread:
- Handful of libass issues Brandon Perry (Oct 04)
- Re: Handful of libass issues cve-assign (Oct 04)
- Re: Re: Handful of libass issues Salvatore Bonaccorso (Oct 27)
- Re: Re: Handful of libass issues Brandon Perry (Oct 27)
- Re: Re: Handful of libass issues Salvatore Bonaccorso (Oct 31)
- Re: Handful of libass issues cve-assign (Nov 01)
- Re: Re: Handful of libass issues Salvatore Bonaccorso (Oct 27)
- Re: Handful of libass issues cve-assign (Oct 04)