[vlc-devel] CVE-2019-13602 Heap Based Buffer Overflow Vulnerability
Thomas Guillem
thomas at gllm.fr
Wed Jul 17 13:56:43 CEST 2019
Thanks for the explanation.
So, there is a bug with the new patch but no real security issue thanks to the block padding.
Francois: could you have a look please?
By the way, from our CoC:
"You should, when possible, criticize in private, and praise publicly; since most of our communications are public and people can be sensitive about that."
On Wed, Jul 17, 2019, at 08:23, Rémi Denis-Courmont wrote:
> Hi,
>
> I was alluding to the nonsensical patch for broken subtitles, committed, pushed and backported in an interval of 3 minutes, which both you and I thought was inadequate.
>
> Here, the bug reporter sent a clear report with test case. He was ignored for days on, in spite of pings. Eventually, he contacted me directly so I tried to make a patch, proof read it, pushed it and waited several days for comments. Nobody commented so I backported.
>
> Then weeks later, François attacks me for introducing a vulnerability in that fix and for creating a CVE. My patch is ugly and wrong but I don't see a vulnerability and I definitely did not create a CVE, though I can see that somebody else did - probably the original bug reporter.
>
> Le 16 juillet 2019 22:50:39 GMT+03:00, Thomas Guillem <thomas at gllm.fr> a écrit :
>> Hello,
>>
>> On Tue, Jul 16, 2019, at 18:23, Rémi Denis-Courmont wrote:
>>> Le tiistaina 16. heinäkuuta 2019, 10.35.12 EEST Francois Cartegnie a écrit :
>>>> https://www.securityfocus.com/bid/109158/references
>>>>
>>>> So now we create a new CVE for the out of bound access introduced by the
>>>> CVE fix ?
>>> You had several weeks to fix this bug better, also plenty of time to comment
>>> before it was backported (unlike a recent certain commit from a certain
>>> somebody), and you still have time to fix it before it gets released.
>>
>> Who is this certain guy ? Which certain commit ?
>> I don't understand this mail thread, and indirect references don't help me.
>>
>>
>> >
>>> But clearly, you are more interested in trolling me than being productive.
>>> Point taken.
>>>
>>> --
>>> レミ・デニ-クールモン
>>> http://www.remlab.net/vlc-devel mailing list
>>> To unsubscribe or modify your subscription options:
>>> https://mailman.videolan.org/listinfo/vlc-devel
>> vlc-devel mailing list
>> To unsubscribe or modify your subscription options:
>> https://mailman.videolan.org/listinfo/vlc-devel
>
> --
> Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20190717/1df55dcb/attachment.html>
More information about the vlc-devel
mailing list