oss-sec mailing list archives
Re: A bunch of duplicate CVEs requested for?? bho..
From: Agostino Sarubbo <ago () gentoo org>
Date: Tue, 29 Aug 2017 21:40:21 +0200
On martedì 29 agosto 2017 20:19:25 CEST Henri S. wrote:
Hello ago, On Tue, Aug 29, 2017 at 02:46:22PM +0200, Agostino Sarubbo wrote:Some CVEs about lame was issued, also there are an high number of vulnerabilities never confirmed by upstream nor posted on their bug tracking system. Yes, sometimes I receive emails that say that the bug is not reproducible but I'm always trying to help to reproduce. Instead some report says: "If you want the poc please contact me at $email"I'm currently fuzzing LAME with help from Robert Hegemann who is upstream. I understand that the latest LAME release in the web page is from 2012, but hopefully we will get a new release after the fuzzing is finished. If there are any outstanding issues from your fuzzing feel free to contact me and I can verify that those are fixed in the CVS version of it (link below). I can check your blog for related issues at least. Robert has been fixing the issues very quickly after reports. I also plan to fuzz other argument combinations. Maybe we can even include LAME to oss-fuzz later on if upstream agrees. http://lame.cvs.sourceforge.net/viewvc/lame/lame/ Recently closed issues: https://sourceforge.net/p/lame/bugs/464/ https://sourceforge.net/p/lame/bugs/465/ https://sourceforge.net/p/lame/bugs/466/ https://sourceforge.net/p/lame/bugs/467/ https://sourceforge.net/p/lame/bugs/468/ https://sourceforge.net/p/lame/bugs/470/ https://sourceforge.net/p/lame/bugs/472/ All feedback is welcome regarding my fuzzing activities. You can also contact me via IRC in e.g. #afl-users in Freenode if you want to participate in CVS build fuzzing. If not I can also notify you after the next release.How to avoid to file duplicate?Maybe giving them a link for documentation how to avoid this in the future. CCing robert without permission :)
Hello Henri, lame was just an example, but it wasn't the point. The point was about the reporter's behavior and the world around the cve assignments. -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Bob Friesenhahn (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Kurt Seifried (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Henri S. (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: [scr379303] A bunch of duplicate CVEs requested for?? bho.. cve-request (Aug 29)
- Re: Re: [scr379303] A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)