CVE-2008-2009
Michael S. Gilbert
michael.s.gilbert at gmail.com
Sun May 3 19:30:28 UTC 2009
On Fri, 1 May 2009 18:46:04 -0500 Peter Samuelson wrote:
> [Michael S. Gilbert]
> > please coordinate with the security team to produce fixes for the
> > stable releases for the vorbis vulnerability (CVE-2008-2009, bug
> > #482039). thanks.
>
> The vulnerability is listed as only being in versions of libvorbis
> prior to 1.0. I thought the only reason for bug 482039 was to provide
> some insurance against discovery of possible future vulnerabilities.
>
> Do I understand correctly? If so, I think there is little reason to
> bother the security team. If there are actual known vulnerabilities,
> of course that is a different matter.
oftentimes, you can't trust version numbers as stated in the CVE
itself. you have to check the code.
my interpretation is that additional sanity checks were added by the
patch for bug #482039; and we should want those same protections in
place for user's of the stable distrubition as well. hence, a DSA will
likely need to be issued for the problem.
the security team should be burdened since this problem does impact the
security of the distribution. please discuss the matter with them, and
they will provide further guidance.
More information about the pkg-xiph-maint
mailing list