Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60
Florian Weimer
fw at deneb.enyo.de
Tue Sep 27 16:50:35 UTC 2016
* Thomas Orgis:
> Am Tue, 27 Sep 2016 10:27:04 +0100
> schrieb James Cowgill <jcowgill at debian.org>:
>
>> Does this have a CVE ID? If not it should get one.
>
> I wondered about that. At the moment I just acted on the bug report and
> pushed the fix. I have to personal experience with the CVE procedure.
> In the past, just "someone" made them appear.
>
> I tried to apply for a CVE using the horrific Google docs form
> (http://iwantacve.org/) now. How can they resort to such a third-party
> ECMAScript-fest instead of a simple HTML form for _security_ issue
> reporting?!
This is the first time I have heard about that site. The official
form is at:
<https://cveform.mitre.org/>
(It still uses Javascript.)
But I'm not sure if this is in scope here because the web form
requires you to confirm that the issue is not in a “CNA-covered
product”. Debian is a CNA-covered product, mpg123 is part of Debian,
so it is unclear what to do here. I'll ask around.
More information about the pkg-multimedia-maintainers
mailing list