On Wed, Mar 06, 2019 at 03:15:40AM +0100, Elimar Riesebieter wrote: > Hi all, > > did someone checked > > https://git.xiph.org/?p=libao.git;a=commit;h=d5221655dfd1a2156aa6be83b5aadea7c1e0f5bd >
You mean the commit which has :? author Ron <r...@debian.org> Sat, 13 Jan 2018 09:49:20 +0000 (20:19 +1030) committer Ron <r...@debian.org> Sat, 13 Jan 2018 15:19:59 +0000 (01:49 +1030) It was a while ago now, but yeah, I *probably* looked at that one ... For the people on the other bug(s), the analysis behind that is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608#14 And the tldr version is, you can't punt this back to libao, and that patch doesn't fix your bug. AFAICS there is no bug in libao detected by this "CVE", its test case explodes in libmad, not libao - and the patch above just fixes some other potential issues I saw by eye while auditing libao enough to give the analysis above. And since Kurt seems to have done the same for libmad in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870406#25 It looks like the ball is squarely in the court of whoever cares about mpg321 to do some debugging next and find what it's doing wrong. And then _possibly_ push back if some flaw in a support library really is exacerbating the mistake it makes. Cheers, Ron