oss-sec mailing list archives
Re: libass ass_outline.c signed integer overflow
From: Ian Zimmerman <itz () very loosely org>
Date: Thu, 19 Nov 2020 18:15:28 -0800
On 2020-11-19 11:54, David A. Wheeler wrote:
I read through the issue discussion. As best as I can tell, no one filed for a CVE, so there was no CVE. Did I misunderstand something? If my understanding is correct, that is *NOT* a failure of the CVE process.
As it often happens to me, what I wrote was too brief to be clear to everyone. The longer version would be something like: This is an example of a situation where no one filed for a CVE because of perceived hurdles in the process, even if the facts didn't justify the perception. Now of course Moritz tells us there is in fact a CVE and indeed I can locate the issue in Debian's security tracker. I guess it has been judged not serious enough to need fixing in buster. I disagree but clearly that is up to the maintainers. -- Ian
Current thread:
- Re: libass ass_outline.c signed integer overflow Ian Zimmerman (Nov 18)
- Re: libass ass_outline.c signed integer overflow David A. Wheeler (Nov 19)
- Re: libass ass_outline.c signed integer overflow Moritz Mühlenhoff (Nov 19)
- Re: libass ass_outline.c signed integer overflow Ian Zimmerman (Nov 19)
- Re: Re: libass ass_outline.c signed integer overflow Salvatore Bonaccorso (Nov 19)
- Re: libass ass_outline.c signed integer overflow David A. Wheeler (Nov 19)