[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LTS Report for October

In October I spent 10 hours, continuing from last month, on

* Uploaded version1.3.16-1.1+deb7u10 with fixes for the following issues:
  * Fix CVE-2017-14103: The ReadJNGImage and ReadOneJNGImage functions in
    coders/png.c did not properly manage image pointers after certain error
  * Fix CVE-2017-14314: heap-based buffer over-read in DrawDashPolygon() .
  * Fix CVE-2017-14504: NULL pointer dereference triggered by malformed file.
  * Fix CVE-2017-14733: Ensure we detect alpha images with too few colors.
  * Fix CVE-2017-14994: DCM_ReadNonNativeImages() can produce image list with
    no frames, resulting in null image pointer.
  * Fix CVE-2017-14997: unsigned underflow leading to astonishingly
    large allocation request.

* Immediately after upload, more issues were found. So I uploaded
  version 1.3.16-1.1+deb7u11 to fix these too:
  * Fix CVE-2017-13737: Fix incorrect rounding up, resulting
    in scrambling the heap beyond the allocation.
  * Fix CVE-2017-15277: Leaves the palette uninitialized when processing a GIF
    file that has neither a global nor local palette.

I posted DLA 1130-1 to the announce list for the first issue - at least
two times, however it does not appear to have made it to the mailing
list.  I posted DLA 1140-1 immediately after posting DLA-1130-1 again
and it worked. I have no idea why DLA-1130-1 didn't work but DLA-1140-1
did. I have not attempted to repost DLA 1130-1, because it could cause
confusion now that DLA 1140-1 was posted.
Brian May <bam@debian.org>

Reply to: