On 19.01.2016 20:32, Rémi Denis-Courmont wrote: > On Tuesday 19 January 2016 19:06:54 Andreas Cadhalpun wrote: >> How is CVE-2016-1897 not fully fixed? >> >> Rémi, please share details about any remaining vulnerability with >> <[email protected]>. > > This is a VLC vulnerability and I can´t share it with my own self.
However, you suggest that the underlying problem is in libavformat. > Besides the > underlying issue has already been discussed with upstream libav. But they haven't applied any fix for it, yet. > There is plenty of information available already to reproduce the problem. I can reproduce the problem with ffmpeg 2.8.4, but not with 2.8.5. > I don´t want to publish an exact proof-of-concept against "my" own software, > especially not before VLC 2.2.2 gets released. <[email protected]> is a private mailing list that can deal with embargoed information. So please provide more details there. Best regards, Andreas
