Re: ASAN builds and exiv2

[Raphael Hertzog <hertzog@debian.org>]

On Thu, 23 Nov 2017, Antoine Beaupré wrote:
> Fun times. So I'm stuck now - I reported the CVE issues upstream so
> they're at least aware of the issue:
> 
> https://github.com/Exiv2/exiv2/issues/174
> 
> ... but I am not sure what to do with the package in Wheezy. I'm tempted
> to mark this as no-dsa because there's no upstream fix and we can't
> reproduce, but I wonder if we should just mark it as not-affected
> instead.

I would like to point out that those CVE are for fuzzing issues reported
against 0.26 way before the last set of updates:
- in my previous update, many of the issues were really specific to 0.26
  and were not applicable at all to our version in wheezy
- the remaining issues have been fixed and it's quite possible that we
  have duplicate CVE here, even though the precise crash might not be the
  same (did somebody check this already?), a fix of a common underlying
  problem might have fixed multiple CVEs

Coming back to your ASAN issue, I would suggest that you try to reproduce
the issue with valgrind with 0.23-1+deb7u1 (old version). If you can
reproduce it there, then it's probably fixed by our previous update. If
you can reproduce it with 0.23-1+deb7u2 then it's still open...

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/