Opened 3 years ago
Closed 3 years ago
New point version.
Promote to blfs-9.0
More credit to OSS-Fuzz. The ID3v2 parser code is not yet as hardened
as the actual MPEG decoder. The paranoid can disable it at build-time.
If you do not need it, this is a good idea, anyway: Code that is not
there, cannot be exploited. Speaking about exploits: The recent crop
of bugs trigger a denial of service (crash) worst-case, some invalid
ID3 data normally. Code injection maybe not totally ruled out (that one
write of a zero byte?), but does not seem easy. Update to be sure that
you are only suceptible to as of yet hidden bugs.
Fixed at revision 22058.
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2022 Gerard Beekmans.