Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Aug 2017 21:19:25 +0300
From: "Henri S." <henri@...v.fi>
To: Agostino Sarubbo <ago@...too.org>
Cc: oss-security@...ts.openwall.com, robert@...rs.sf.net
Subject: Re: A bunch of duplicate CVEs requested for?? bho..

Hello ago,

On Tue, Aug 29, 2017 at 02:46:22PM +0200, Agostino Sarubbo wrote:
> Some CVEs about lame was issued, also there are an high number of 
> vulnerabilities never confirmed by upstream nor posted on their bug tracking 
> system. Yes, sometimes I receive emails that say that the bug is not 
> reproducible but I'm always trying to help to reproduce. Instead some report 
> says: "If you want the poc please contact me at $email"

I'm currently fuzzing LAME with help from Robert Hegemann who is upstream. I
understand that the latest LAME release in the web page is from 2012, but
hopefully we will get a new release after the fuzzing is finished. If there are
any outstanding issues from your fuzzing feel free to contact me and I can
verify that those are fixed in the CVS version of it (link below). I can check
your blog for related issues at least. Robert has been fixing the issues very
quickly after reports. I also plan to fuzz other argument combinations. Maybe
we can even include LAME to oss-fuzz later on if upstream agrees.

http://lame.cvs.sourceforge.net/viewvc/lame/lame/

Recently closed issues:

https://sourceforge.net/p/lame/bugs/464/
https://sourceforge.net/p/lame/bugs/465/
https://sourceforge.net/p/lame/bugs/466/
https://sourceforge.net/p/lame/bugs/467/
https://sourceforge.net/p/lame/bugs/468/
https://sourceforge.net/p/lame/bugs/470/
https://sourceforge.net/p/lame/bugs/472/

All feedback is welcome regarding my fuzzing activities. You can also contact
me via IRC in e.g. #afl-users in Freenode if you want to participate in CVS
build fuzzing. If not I can also notify you after the next release.

> How to avoid to file duplicate?

Maybe giving them a link for documentation how to avoid this in the future.

CCing robert without permission :)

-- 
Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ