[vlc-devel] CVE-2019-13602 Heap Based Buffer Overflow Vulnerability
remi at remlab.net
Wed Jul 17 08:22:56 CEST 2019
I was alluding to the nonsensical patch for broken subtitles, committed, pushed and backported in an interval of 3 minutes, which both you and I thought was inadequate.
Here, the bug reporter sent a clear report with test case. He was ignored for days on, in spite of pings. Eventually, he contacted me directly so I tried to make a patch, proof read it, pushed it and waited several days for comments. Nobody commented so I backported.
Then weeks later, François attacks me for introducing a vulnerability in that fix and for creating a CVE. My patch is ugly and wrong but I don't see a vulnerability and I definitely did not create a CVE, though I can see that somebody else did - probably the original bug reporter.
Le 16 juillet 2019 22:50:39 GMT+03:00, Thomas Guillem <thomas at gllm.fr> a écrit :
>On Tue, Jul 16, 2019, at 18:23, Rémi Denis-Courmont wrote:
>> Le tiistaina 16. heinäkuuta 2019, 10.35.12 EEST Francois Cartegnie a
>> > https://www.securityfocus.com/bid/109158/references
>> > So now we create a new CVE for the out of bound access introduced
>> > CVE fix ?
>> You had several weeks to fix this bug better, also plenty of time to
>> before it was backported (unlike a recent certain commit from a
>> somebody), and you still have time to fix it before it gets released.
>Who is this certain guy ? Which certain commit ?
>I don't understand this mail thread, and indirect references don't help
>> But clearly, you are more interested in trolling me than being
>> Point taken.
>> vlc-devel mailing list
>> To unsubscribe or modify your subscription options:
>vlc-devel mailing list
>To unsubscribe or modify your subscription options:
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the vlc-devel