Just submitted version -08 addressing your last set of comments. See
below for details.
On 26/07/17 12:41 AM, Ben Campbell wrote:
> I suggest adding a sentence to the effect of the following after “…
> associated text description.”:
>
> "That RFC includes the reference decoder implementation as Appendix
> A."
Done.
>> This document fixes two security issues reported on Opus and that
>> affect the reference implementation in RFC 6716 [RFC6716]: CVE-
>> 2013-0899 and CVE-2017-0381. CVE-2013-0899 is fixed by Section 4
>> and could theoretically cause information leak, but the leaked
>> information would at the very least go through the decoder process
>> before being accessible to the attacker. Also, the bug can only
>> be triggered by Opus packets at least 24 MB in size. CVE-2017-0381
>> is fixed by Section 7 as far as the authors are aware, could not
>> be
>
> Is there a missing word? It’s not clear if you mean to say that as
> far as the authors are aware it is fixed, or as far as the authors
> are aware it could not be exploited.
There was indeed a missing "and":
CVE-2017-0381 is fixed by Section 7 and, as far as the authors
are aware, could not be exploited in any way...
> Can you add some context about the CVEs, such as where they are
> reported and where they can be found?
Added links to the CVEs
> So, as I looked at the XML diff, I realize the emphasis is added
> using XML tags rather than by hand entering the underscores. So I may
> have been incorrect to say they have no meaning in the context of an
> RFC :-) I think the text is still better without them, but do not
> have strong feelings if you prefer to keep them.
I agree that the underscores weren't adding much, so I'm leaving them out.
Cheers,
Jean-Marc
_______________________________________________
codec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/codec
