Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Aug 2017 15:23:50 -0400
From: <>
To: <>
CC: <>, <>
Subject: Re: [scr379303] A bunch of duplicate CVEs requested for?? bho..

Hash: SHA256

> duplicate of:

Yes, these are duplicates; we will reject CVE-2017-13753 and update

This occurred because the MITRE CVE team inadvertently populated
CVE-2016-9396 with incorrect version information, and because the code
changed between the two tested versions.

Specifically, CVE-2016-9396 had said "in JasPer before 1.900.12" but
actually there was no reference stating that 1.900.12 was a fixed
version. Also, the CVE-2017-13753 reference said "Assertion `qmfbid ==
JPC_COX_RFT' failed" but the CVE-2016-9396 reference said "Assertion
`qmfbid == 0x01' failed." These happen to be the same (there's a
"#define JPC_COX_RFT 0x01" elsewhere), but it initially looked like
the new report was about a different assertion that was problematic in
1.900.12 and later versions.

> months later we have:
> "There is a division-by-zero vulnerability in LAME 3.99.5, caused by a
> malformed input file."

When we worked on your CVE ID request for the
report, we had the information about the affected source-code pathname
frontend/get_audio.c, and we had found the information about "this is all in the
frontend code in frontend/get_audio.c:parse_wave_header() and not in
the library." By contrast, the CVE-2017-11720 request had less
technical detail about the source-code location, and the requester had
checked the "Has vendor confirmed or acknowledged the vulnerability?"
Yes box on our web site. In general, if a
problem is only a divide-by-zero in a command-line program, but the
upstream vendor decided to categorize it as a vulnerability, then it
gets a CVE. Admittedly, there was no direct proof of "decided to
categorize it as a vulnerability" here. Also, if a CVE is already
populated, and is about this type of valid crash report, then we do
not retroactively reject it, even if we learn more about exploitation
relevance. We will update CVE-2017-11720 with your reference, to help
to show that you were the original discoverer.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.