Date: Tue, 29 Aug 2017 21:19:25 +0300 From: "Henri S." <henri@...v.fi> To: Agostino Sarubbo <ago@...too.org> Cc: oss-security@...ts.openwall.com, robert@...rs.sf.net Subject: Re: A bunch of duplicate CVEs requested for?? bho.. Hello ago, On Tue, Aug 29, 2017 at 02:46:22PM +0200, Agostino Sarubbo wrote: > Some CVEs about lame was issued, also there are an high number of > vulnerabilities never confirmed by upstream nor posted on their bug tracking > system. Yes, sometimes I receive emails that say that the bug is not > reproducible but I'm always trying to help to reproduce. Instead some report > says: "If you want the poc please contact me at $email" I'm currently fuzzing LAME with help from Robert Hegemann who is upstream. I understand that the latest LAME release in the web page is from 2012, but hopefully we will get a new release after the fuzzing is finished. If there are any outstanding issues from your fuzzing feel free to contact me and I can verify that those are fixed in the CVS version of it (link below). I can check your blog for related issues at least. Robert has been fixing the issues very quickly after reports. I also plan to fuzz other argument combinations. Maybe we can even include LAME to oss-fuzz later on if upstream agrees. http://lame.cvs.sourceforge.net/viewvc/lame/lame/ Recently closed issues: https://sourceforge.net/p/lame/bugs/464/ https://sourceforge.net/p/lame/bugs/465/ https://sourceforge.net/p/lame/bugs/466/ https://sourceforge.net/p/lame/bugs/467/ https://sourceforge.net/p/lame/bugs/468/ https://sourceforge.net/p/lame/bugs/470/ https://sourceforge.net/p/lame/bugs/472/ All feedback is welcome regarding my fuzzing activities. You can also contact me via IRC in e.g. #afl-users in Freenode if you want to participate in CVS build fuzzing. If not I can also notify you after the next release. > How to avoid to file duplicate? Maybe giving them a link for documentation how to avoid this in the future. CCing robert without permission :) -- Henri Salo [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ