Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-10-05 Thread Thomas Orgis
Am Wed, 5 Oct 2016 21:34:49 +0200 schrieb Salvatore Bonaccorso : > Any news from the DWF project on the assigned CVE? Nothing. I got the initial request to accept the MITRE Terms of Use for CVE from the person handling my case (I assume). I replied to the mail at 2016-09-30.

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-10-05 Thread Salvatore Bonaccorso
Hi Thomas, On Fri, Sep 30, 2016 at 08:05:14AM +0200, Thomas Orgis wrote: > Am Thu, 29 Sep 2016 01:20:05 +0200 > schrieb Thomas Orgis : > > > Still nothing. I don't expect anything to arrive anymore. Perhaps that > > Google Docs form was a joke anyway. So, please let's

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-09-30 Thread Thomas Orgis
Am Thu, 29 Sep 2016 01:20:05 +0200 schrieb Thomas Orgis : > Still nothing. I don't expect anything to arrive anymore. Perhaps that > Google Docs form was a joke anyway. So, please let's just get a number > via Debian and get on with it. Nope, eh … yes. I got a reply now

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-09-28 Thread Thomas Orgis
Am Tue, 27 Sep 2016 22:39:21 +0200 schrieb Thomas Orgis : > Well, so far I did not get a response from http://iwantacve.org/ Still nothing. I don't expect anything to arrive anymore. Perhaps that Google Docs form was a joke anyway. So, please let's just get a number via

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-09-27 Thread Thomas Orgis
Am Tue, 27 Sep 2016 18:50:35 +0200 schrieb Florian Weimer : > Debian is a CNA-covered product, mpg123 is part of Debian, > so it is unclear what to do here. I'll ask around. Well, so far I did not get a response from http://iwantacve.org/ (linked from

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-09-27 Thread Florian Weimer
* Thomas Orgis: > Am Tue, 27 Sep 2016 10:27:04 +0100 > schrieb James Cowgill : > >> Does this have a CVE ID? If not it should get one. > > I wondered about that. At the moment I just acted on the bug report and > pushed the fix. I have to personal experience with the CVE

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-09-27 Thread Thomas Orgis
Am Tue, 27 Sep 2016 10:27:04 +0100 schrieb James Cowgill : > Does this have a CVE ID? If not it should get one. I wondered about that. At the moment I just acted on the bug report and pushed the fix. I have to personal experience with the CVE procedure. In the past, just

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-09-27 Thread James Cowgill
Control: severity -1 grave Control: tags -1 security fixed-upstream Control: found -1 0.60-1 Hi, On 27/09/16 06:47, Thomas Orgis wrote: > Package: mpg123 > > This is mpg123 upstream formally informing you of a vulnerability > (crash on illegal memory read) in all mpg123 versions since 0.60, so

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-09-26 Thread Thomas Orgis
Package: mpg123 This is mpg123 upstream formally informing you of a vulnerability (crash on illegal memory read) in all mpg123 versions since 0.60, so very likely all debian versions of mpg123 and libmpg123 are affected. See more detail at http://mpg123.org/bugs/240 . A one-line fix for any