Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Oct 2016 16:11:49 +0100
From: Salvatore Bonaccorso <>
Subject: Re: Re: Handful of libass issues


Apologies for the late reply.

On Thu, Oct 27, 2016 at 08:24:24AM -0500, Brandon Perry wrote:
> > On Oct 27, 2016, at 3:39 AM, Salvatore Bonaccorso <> wrote:
> > 
> > Hi,
> > 
> > On Tue, Oct 04, 2016 at 10:23:22PM -0400, wrote:
> >>> The third is a huge memory allocation leading to a crash that wasn't
> >>> fixed because a good solution is unavailable at the moment.
> >> 
> >> Use CVE-2016-7971.
> > 
> > It looks from the discussion in
> > that this issue is disputed
> > to be actually in libass.
> > 
> For context, while the input caused a crash with AFL (not fuzzing
> with ASAN) and it crashes with ASAN, I was unable to reproduce the
> crash with libass externally. I was only able to take up a hug
> amount of memory and take a long time to finish parsing the input.
> I asked if they dev wanted to reject the CVE but got no strong
> response either way, so I decided to not pursue it.

Sure understand that. Currently, still the CVE is associated with libass.

@MITRE CVE team, could you clarify the above? Is it still desired to
have the CVE associated with libass, or shoult it be rejected?


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ