Re: A bunch of duplicate CVEs requested for?? bho..

["Henri S." <henri () nerv fi>]

Hello ago,

On Tue, Aug 29, 2017 at 02:46:22PM +0200, Agostino Sarubbo wrote:
> Some CVEs about lame was issued, also there are an high number of 
> vulnerabilities never confirmed by upstream nor posted on their bug tracking 
> system. Yes, sometimes I receive emails that say that the bug is not 
> reproducible but I'm always trying to help to reproduce. Instead some report 
> says: "If you want the poc please contact me at $email"

I'm currently fuzzing LAME with help from Robert Hegemann who is upstream. I
understand that the latest LAME release in the web page is from 2012, but
hopefully we will get a new release after the fuzzing is finished. If there are
any outstanding issues from your fuzzing feel free to contact me and I can
verify that those are fixed in the CVS version of it (link below). I can check
your blog for related issues at least. Robert has been fixing the issues very
quickly after reports. I also plan to fuzz other argument combinations. Maybe
we can even include LAME to oss-fuzz later on if upstream agrees.

http://lame.cvs.sourceforge.net/viewvc/lame/lame/

Recently closed issues:

https://sourceforge.net/p/lame/bugs/464/
https://sourceforge.net/p/lame/bugs/465/
https://sourceforge.net/p/lame/bugs/466/
https://sourceforge.net/p/lame/bugs/467/
https://sourceforge.net/p/lame/bugs/468/
https://sourceforge.net/p/lame/bugs/470/
https://sourceforge.net/p/lame/bugs/472/

All feedback is welcome regarding my fuzzing activities. You can also contact
me via IRC in e.g. #afl-users in Freenode if you want to participate in CVS
build fuzzing. If not I can also notify you after the next release.

> How to avoid to file duplicate?

Maybe giving them a link for documentation how to avoid this in the future.

CCing robert without permission :)

-- 
Henri Salo

Attachment: signature.asc
Description: