Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Oct 2016 16:11:49 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: Handful of libass issues

Hi

Apologies for the late reply.

On Thu, Oct 27, 2016 at 08:24:24AM -0500, Brandon Perry wrote:
> 
> > On Oct 27, 2016, at 3:39 AM, Salvatore Bonaccorso <carnil@...ian.org> wrote:
> > 
> > Hi,
> > 
> > On Tue, Oct 04, 2016 at 10:23:22PM -0400, cve-assign@...re.org wrote:
> >>> The third is a huge memory allocation leading to a crash that wasn't
> >>> fixed because a good solution is unavailable at the moment.
> >> 
> >> Use CVE-2016-7971.
> > 
> > It looks from the discussion in
> > https://github.com/libass/libass/pull/240 that this issue is disputed
> > to be actually in libass.
> > 
> 
> For context, while the input caused a crash with AFL (not fuzzing
> with ASAN) and it crashes with ASAN, I was unable to reproduce the
> crash with libass externally. I was only able to take up a hug
> amount of memory and take a long time to finish parsing the input.
> 
> I asked if they dev wanted to reject the CVE but got no strong
> response either way, so I decided to not pursue it.

Sure understand that. Currently, still the CVE is associated with libass.

@MITRE CVE team, could you clarify the above? Is it still desired to
have the CVE associated with libass, or shoult it be rejected?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ