[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Secure-testing-commits] r48631 - in data: . CVE

Hi Emilio,

2017-01-31 22:23 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi Emilio,
> 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort <pochu@debian.org>:
>> Hi Balint,
>> On 31/01/17 21:46, Balint Reczey wrote:
>>> Log:
>>> wavpack's issues don't affect wheezy
>>> The first part of the upstream patch is not needed since the
>>> code is very different and not vulnerable.
>>> The second part applies, but does not make any difference when
>>> trying the exploits. Tested with valgrind on Wheezy.
>> These issues were found with address sanitizer, so I don't think checking with
>> valgrind is enough (it's not the same).
>> May be worth checking with asan (it should be available in wheezy's llvm 3.1).
> I was able to reproduce the heap issues on sid with valgrind but i
> give llvm a try, too.

Llvm 3.1 supports ASAN, but I could not find clang in the llvm-3.1 packages.
What am I missing? :-)


Reply to: