Re: [Secure-testing-commits] r48631 - in data: . CVE
2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort <firstname.lastname@example.org>:
> Hi Balint,
> On 31/01/17 21:46, Balint Reczey wrote:
>> wavpack's issues don't affect wheezy
>> The first part of the upstream patch is not needed since the
>> code is very different and not vulnerable.
>> The second part applies, but does not make any difference when
>> trying the exploits. Tested with valgrind on Wheezy.
> These issues were found with address sanitizer, so I don't think checking with
> valgrind is enough (it's not the same).
> May be worth checking with asan (it should be available in wheezy's llvm 3.1).
I was able to reproduce the heap issues on sid with valgrind but i
give llvm a try, too.