Date: Thu, 27 Oct 2016 08:24:24 -0500 From: Brandon Perry <bperry.volatile@...il.com> To: Salvatore Bonaccorso <carnil@...ian.org> Cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: Re: Handful of libass issues > On Oct 27, 2016, at 3:39 AM, Salvatore Bonaccorso <carnil@...ian.org> wrote: > > Hi, > > On Tue, Oct 04, 2016 at 10:23:22PM -0400, cve-assign@...re.org wrote: >>> The third is a huge memory allocation leading to a crash that wasn't >>> fixed because a good solution is unavailable at the moment. >> >> Use CVE-2016-7971. > > It looks from the discussion in > https://github.com/libass/libass/pull/240 that this issue is disputed > to be actually in libass. > For context, while the input caused a crash with AFL (not fuzzing with ASAN) and it crashes with ASAN, I was unable to reproduce the crash with libass externally. I was only able to take up a hug amount of memory and take a long time to finish parsing the input. I asked if they dev wanted to reject the CVE but got no strong response either way, so I decided to not pursue it. > Should the CVE assignment be revisited, possibly rejected, according > the upstream discussion? > > Regards, > Salvatore Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ