Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60
Thomas Orgis
thomas-forum at orgis.org
Tue Sep 27 20:39:21 UTC 2016
Am Tue, 27 Sep 2016 18:50:35 +0200
schrieb Florian Weimer <fw at deneb.enyo.de>:
> Debian is a CNA-covered product, mpg123 is part of Debian,
> so it is unclear what to do here. I'll ask around.
Well, so far I did not get a response from http://iwantacve.org/
(linked from
http://cve.mitre.org/cve/data_sources_product_coverage.html, btw. both
not defaulting to https) … I am not sure how long I should wait. Maybe
the "Distributed Weakness Filing Project" consists of humans that don't
work around the clock. If there is a number from Debian, it's fine by
me. We should just avoid that there are two associations.
And, well mpg123 is part of Debian and numerous other distros/ports
trees, as well as a stand-alone product people install on their MS
Windows machines, or under OS/2 (yes, really;-) … or in yet other
contexts. Like just about any other open source project. I guess
getting a CVE via the Debian umbrella might be the easiest route,
though.
Getting the fix to the users is my top priority. Even without CVE, a
debian bug report hopefully triggers a good number of downstream
distros at least.
Alrighty then,
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale Signatur von OpenPGP
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160927/14f1b8e1/attachment-0001.sig>
More information about the pkg-multimedia-maintainers
mailing list