On Mon, Jan 26, 2015 at 05:33:30PM +0100, Sebastian Ramacher wrote:
> On 2015-01-26 13:49:26, Moritz Mühlenhoff wrote:
> > On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote:
> > > * The potential invalid writes in modules/services_discovery/sap.c and
> > > modules/access/ftp.c were not fixed as I did not provide a
> > > trigger. Note, that the code looks very similar to the confirmed bug
> > > in rtp_packetize_xiph_config, and so I leave it to you to decide
> > > whether you want to patch this.
> >
> > These have been assigned CVE-2015-1202 and CVE-2015-1203, could you contact
> > upstream for the status of an upstream fix?
>
> Just because they look similar, does not make them a vulnerability. The
> format string for ftp_SendCommand is not attacker controlled. The reporter
> still has not answered questions about how the invalid write in
> modules/access/ftp.c could be triggered [1]. Similarly, the issue in
> modules/services_discovery/sap.c lacks a trigger. The rather disturbing
> thread can be found at [2].
>
> [1] https://mailman.videolan.org/pipermail/vlc-devel/2014-December/100674.html
> [2] https://mailman.videolan.org/pipermail/vlc-devel/2014-December/100675.html
Given upstream's response we'll mark these as non-issues in the Debian security
tracker, then.
I'm adding MITRE to CC; CVE-2015-1202 and CVE-2015-1203 are disputed by
upstream, please consider to mark them as rejected.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
