Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Nov 2020 11:54:07 -0500
From: "David A. Wheeler" <>
Subject: Re: libass ass_outline.c signed integer overflow

> On Nov 19, 2020, at 12:34 AM, Ian Zimmerman <> wrote:
> On 2020-09-29 08:19, Fstark wrote:
>> In `ass_outline_construct`'s call to `outline_stroke` a signed integer
>> overflow happens *(undefined behaviour)*. On my machine signed overflow
>> happens to wrap around to a negative value, thus failing the assert.
> I have followed the links above, and this seems to be an example of a
> situation where the CVE process has failed. It is still not fixed in
> Debian, possibly for that reason. I'll report a Debian bug today.

I read through the issue discussion. As best as I can tell, no one filed for a CVE, so there was no CVE.
Did I misunderstand something?

If my understanding is correct, that is *NOT* a failure of the CVE process.

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.