Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fixes for 4 fuzz failures posted to SourceForge mailing list
- Loading branch information
Showing
2 changed files
with
9 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4bc05fc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Four CVEs habe been assigned for the issues fixed by this commit:
http://www.openwall.com/lists/oss-security/2017/01/28/9
4bc05fc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and fixes for WavPack 4.80.0 Release ?
this patch is not applicable to the current version 4.80.0 [1] not even exist the function read_new_config_info only read_config_info and is quite different in
src/open_utils.c
https://bugzilla.redhat.com/show_bug.cgi?id=1417853
4bc05fc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two of the three fixes here are only related to features added since 4.80, so they would not apply. Only the fix in read_words.c could be backported.
There have actually been several other similar fixes since 4.80, but many of these are also specific to new features, and so would have to be examined on a case-by-case basis. Also, some of the fixes affect only encoding (not decoding) so they do not pose a risk.
cbdf3fd
6e7936b
7235ce7
3cc16c5
bfe11dd
I do not understand the rationale behind trying to apply these fixes to previous versions, especially because applying the patches without all the context and more testing could even trigger other issues.
Wouldn't it be just as easy to upgrade to the most recent release? The current release has been extensively tested by AFL and is probably the most robust WavPack release to date. It is also 100% functionally compatible with 4.80 (no broken apps).
4bc05fc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello , oops I think I confused WavPack with touchsound , I though I can't update it without rebuild a bunch of packages do a soname bump [1] , so now, IIRC is smooth update wavpack (all others packages will still work) I will update first on f26 and in my local computer if no problems , I will update lower versions and also EPEL packages.
Thank you for the feedback.
[1] for example https://ask.fedoraproject.org/en/question/83662/why-audacity-is-not-working/?answer=83736#post-id-83736