Re: Bug#787644: libwmf: CVE-2015-0848: heap overflow when decoding BMP images

To: Guido Günther <agx@sigxcpu.org>, Salvatore Bonaccorso <carnil@debian.org>, 787644@bugs.debian.org, debian-lts@lists.debian.org
Subject: Re: Bug#787644: libwmf: CVE-2015-0848: heap overflow when decoding BMP images
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 19 Jun 2015 14:27:38 +0200
Message-id: <[🔎] 20150619122738.GA9458@pisco.westfalen.local>
In-reply-to: <[🔎] 20150619120710.GA6962@bogon.m.sigxcpu.org>
References: <20150603172710.13871.25272.reportbug@eldamar.local> <20150616042631.GA5993@elende.valinor.li> <[🔎] 20150619120710.GA6962@bogon.m.sigxcpu.org>

On Fri, Jun 19, 2015 at 02:07:10PM +0200, Guido Günther wrote:
> Hi,
> On Tue, Jun 16, 2015 at 06:26:31AM +0200, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > A second CVE was assigned for a further issue:
> >
> > http://www.openwall.com/lists/oss-security/2015/06/16/4
> > (CVE-2015-4588).
>
> Attached debdiff fixes the two CVEs on squeeze-lts. Since sid,jessie and
> wheezy ship basically the same versions it should easily apply there as
> well.
>
> With the patches applied I couldn't reproduce the crashes anymore as
> descibed at:
>
>     http://seclists.org/oss-sec/2015/q2/597
>
> I'd appreciate any comments / reviews before releasing the DLA.

I started to work on that for wheezy/jessie (but haven't build those
yet). I can double-check against my patches on the weekend and get
back to you.

Cheers,
        Moritz

Reply to:

References:
- Re: Bug#787644: libwmf: CVE-2015-0848: heap overflow when decoding BMP images
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: Bug#787644: libwmf: CVE-2015-0848: heap overflow when decoding BMP images
Next by Date: librack-ruby update for CVE-2015-3225
Previous by thread: Re: Bug#787644: libwmf: CVE-2015-0848: heap overflow when decoding BMP images
Next by thread: librack-ruby update for CVE-2015-3225
Index(es):
- Date
- Thread