[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HFS+ specific vulnerability

On Thu, 2016-06-02 at 17:39 +1000, Brian May wrote:
> Hello,
> Do we care about vulerabilities that are specific to HFS+?
> http://www.talosintel.com/reports/TALOS-2016-0093/
> CVE-2016-2334

If a program automatically detects file formats then every supported
file format is part of its attack surface.  I don't think we can rule
out certain formats as too obscure.  (See for example the recent
attacks on ImageMagick/GraphicsMagick using a format that most people
never heard of before.  The fix there was to disable support for that
format by default.)


Ben Hutchings
All the simple programs have been written, and all the good names

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: