Re: [Secure-testing-commits] r48631 - in data: . CVE

To: Balint Reczey <balint@balintreczey.hu>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: [Secure-testing-commits] r48631 - in data: . CVE
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Tue, 31 Jan 2017 22:14:18 +0100
Message-id: <[🔎] 6f9e4ca0-e143-a5a0-de11-e56887e436c4@debian.org>
In-reply-to: <E1cYfJv-0005jh-G1@moszumanska.debian.org>
References: <E1cYfJv-0005jh-G1@moszumanska.debian.org>

Hi Balint,

On 31/01/17 21:46, Balint Reczey wrote:
> Log:
> wavpack's issues don't affect wheezy
> 
> The first part of the upstream patch is not needed since the
> code is very different and not vulnerable.
> The second part applies, but does not make any difference when
> trying the exploits. Tested with valgrind on Wheezy.

These issues were found with address sanitizer, so I don't think checking with
valgrind is enough (it's not the same).

May be worth checking with asan (it should be available in wheezy's llvm 3.1).

Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: [Secure-testing-commits] r48631 - in data: . CVE
  - From: Bálint Réczey <balint@balintreczey.hu>

Prev by Date: Re: graphicsmagick update
Next by Date: Re: [Secure-testing-commits] r48631 - in data: . CVE
Previous by thread: Re: Accepted tcpdump 4.9.0-1~deb7u1 (amd64 source) into oldstable
Next by thread: Re: [Secure-testing-commits] r48631 - in data: . CVE
Index(es):
- Date
- Thread