[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Secure-testing-commits] r48631 - in data: . CVE



Hi Emilio,

2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort <pochu@debian.org>:
> Hi Balint,
>
> On 31/01/17 21:46, Balint Reczey wrote:
>> Log:
>> wavpack's issues don't affect wheezy
>>
>> The first part of the upstream patch is not needed since the
>> code is very different and not vulnerable.
>> The second part applies, but does not make any difference when
>> trying the exploits. Tested with valgrind on Wheezy.
>
> These issues were found with address sanitizer, so I don't think checking with
> valgrind is enough (it's not the same).
>
> May be worth checking with asan (it should be available in wheezy's llvm 3.1).

I was able to reproduce the heap issues on sid with valgrind but i
give llvm a try, too.

Cheers,
Balint


Reply to: