Re: ASAN builds and exiv2
On Thu, 23 Nov 2017, Antoine Beaupré wrote:
> Fun times. So I'm stuck now - I reported the CVE issues upstream so
> they're at least aware of the issue:
>
> https://github.com/Exiv2/exiv2/issues/174
>
> ... but I am not sure what to do with the package in Wheezy. I'm tempted
> to mark this as no-dsa because there's no upstream fix and we can't
> reproduce, but I wonder if we should just mark it as not-affected
> instead.
I would like to point out that those CVE are for fuzzing issues reported
against 0.26 way before the last set of updates:
- in my previous update, many of the issues were really specific to 0.26
and were not applicable at all to our version in wheezy
- the remaining issues have been fixed and it's quite possible that we
have duplicate CVE here, even though the precise crash might not be the
same (did somebody check this already?), a fix of a common underlying
problem might have fixed multiple CVEs
Coming back to your ASAN issue, I would suggest that you try to reproduce
the issue with valgrind with 0.23-1+deb7u1 (old version). If you can
reproduce it there, then it's probably fixed by our previous update. If
you can reproduce it with 0.23-1+deb7u2 then it's still open...
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: