On Tue, Jul 16, 2019 at 10:25:20AM -0400, Jordy wrote: > Package: libmad0 > > > I found a security vulnerability in libmad, I could not contact the vendor so > I figured I'd just send it to you guys as it's a dependency for a lot of > packages (At Least 68).
Have you actually tried this with the latest version of libmad shipped in Debian? The upstream version contains various bugs that have a CVE assigned that have been fixed in Debian. After the last fix I did, I also ran a fuzzer on it myzelf for a few weeks that didn't find anything with code that looks a lot like your code. Kurt
