Re: [Secure-testing-commits] r48631 - in data: . CVE

To: Emilio Pozuelo Monfort <pochu@debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: [Secure-testing-commits] r48631 - in data: . CVE
From: Bálint Réczey <balint@balintreczey.hu>
Date: Wed, 1 Feb 2017 00:42:45 +0100
Message-id: <[🔎] CAK0OdpxAXE7_CRiqZXkcjk9=b2VF1M0hAQ7Wge-F2Z08FiTdCQ@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] CAK0Odpwcj6+EGZ6EFop=JyCtKj70ZG2xpb7ptcQZ6WPLJ3Pqmw@mail.gmail.com>
References: <E1cYfJv-0005jh-G1@moszumanska.debian.org> <[🔎] 6f9e4ca0-e143-a5a0-de11-e56887e436c4@debian.org> <[🔎] CAK0Odpwcj6+EGZ6EFop=JyCtKj70ZG2xpb7ptcQZ6WPLJ3Pqmw@mail.gmail.com>

Hi Emilio,

2017-01-31 22:23 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi Emilio,
>
> 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort <pochu@debian.org>:
>> Hi Balint,
>>
>> On 31/01/17 21:46, Balint Reczey wrote:
>>> Log:
>>> wavpack's issues don't affect wheezy
>>>
>>> The first part of the upstream patch is not needed since the
>>> code is very different and not vulnerable.
>>> The second part applies, but does not make any difference when
>>> trying the exploits. Tested with valgrind on Wheezy.
>>
>> These issues were found with address sanitizer, so I don't think checking with
>> valgrind is enough (it's not the same).
>>
>> May be worth checking with asan (it should be available in wheezy's llvm 3.1).
>
> I was able to reproduce the heap issues on sid with valgrind but i
> give llvm a try, too.

Llvm 3.1 supports ASAN, but I could not find clang in the llvm-3.1 packages.
What am I missing? :-)

Cheers,
Balint

Reply to:

References:
- Re: [Secure-testing-commits] r48631 - in data: . CVE
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: [Secure-testing-commits] r48631 - in data: . CVE
  - From: Bálint Réczey <balint@balintreczey.hu>

Prev by Date: Re: Wheezy update of mysql-5.5?
Previous by thread: Re: [Secure-testing-commits] r48631 - in data: . CVE
Next by thread: openssl wheezy update
Index(es):
- Date
- Thread