Re: [Secure-testing-commits] r48631 - in data: . CVE

To: Balint Reczey <balint@balintreczey.hu>
Cc: Emilio Pozuelo Monfort <pochu@debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: [Secure-testing-commits] r48631 - in data: . CVE
From: Guido Günther <agx@sigxcpu.org>
Date: Sat, 4 Feb 2017 12:36:35 +0100
Message-id: <[🔎] 20170204113635.g7emwos53v6taov5@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Balint Reczey <balint@balintreczey.hu>, Emilio Pozuelo Monfort <pochu@debian.org>, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <6f9e4ca0-e143-a5a0-de11-e56887e436c4@debian.org>
References: <E1cYfJv-0005jh-G1@moszumanska.debian.org> <6f9e4ca0-e143-a5a0-de11-e56887e436c4@debian.org>

On Tue, Jan 31, 2017 at 10:14:18PM +0100, Emilio Pozuelo Monfort wrote:
> Hi Balint,
> 
> On 31/01/17 21:46, Balint Reczey wrote:
> > Log:
> > wavpack's issues don't affect wheezy
> > 
> > The first part of the upstream patch is not needed since the
> > code is very different and not vulnerable.
> > The second part applies, but does not make any difference when
> > trying the exploits. Tested with valgrind on Wheezy.
> 
> These issues were found with address sanitizer, so I don't think checking with
> valgrind is enough (it's not the same).
> 
> May be worth checking with asan (it should be available in wheezy's llvm 3.1).

I also don't think using valgrind and asan behave the same here. Also it's
obvious that the hunk that fixes the overflow is missing in Wheezy. So
I'd rather stay on the safe side.

Cheers,
 -- Guido

Reply to:

Prev by Date: Wheezy update of libpodofo?
Next by Date: Re: Wheezy update of libpodofo?
Previous by thread: Re: [Secure-testing-commits] r48631 - in data: . CVE
Next by thread: Re: openssl wheezy update
Index(es):
- Date
- Thread