|
Message-ID: <20081126095135.GD14536@fuse.inversepath.com> Date: Wed, 26 Nov 2008 09:51:35 +0000 From: Andrea Barisani <lcars@...rt.org> To: oss-security@...ts.openwall.com Cc: 498243@...s.debian.org, xine-user@...ts.sourceforge.net, redpig@...rt.org Subject: Re: xine-lib and ocert-2008-008 On Tue, Nov 25, 2008 at 07:46:19PM -0500, Steven M. Christey wrote: > > On Sat, 22 Nov 2008, Thomas Viehmann wrote: > > > I am not quite sure whether I can agree with Will Drewry's analysis[1] > > accompanying ocert advisory 2008-008[1]. Looking at item 1A, which Will > > says is fixed in 1.1.5, attached .mov seems to fit the case description > > and will still corrupt the memory when viewed e.g. in gxine. > > This has finally prompted me to process CVE's for the issues originally > disclosed by Will back in August. Our analysts didn't have a very > pleasant time with the volume and complexity, I'm sure. Sorry it took so > long. > Steve, thanks for this assignment, I updated our advisory with the references. We'll try to take a look at the new test case sometimes next week. Cheers > CVE-2008-5234 includes two separate bugs, one of which is the item 1A you > mention (parse_moov_atom in demux_qt.c). If CVE-2008-5234 actually wasn't > fixed in 1.1.15, we might need a new CVE to handle the variant. > > There are also some cases where an xine bug announcement includes some > bugs that weren't covered by Will's analysis; those won't have an OCERT > reference. > > CVE-2008-5236 and CVE-2008-5237, and possibly others, don't have a > "CONFIRM" reference in them - which implies that, based on CVE analysis, > the upstream vendor didn't provide enough clear evidence of a fix. > > My brain is too fried to process the followup comment that listed > individual patches. > > - Steve > -- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team <lcars@...rt.org> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.