CVE-2017-14988 in openexr

To: team@security.debian.org
Cc: debian-lts@lists.debian.org
Subject: CVE-2017-14988 in openexr
From: Guido Günther <agx@sigxcpu.org>
Date: Wed, 29 Nov 2017 22:32:38 +0100
Message-id: <[🔎] 20171129213238.nnho7xu5crmrwgnw@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, team@security.debian.org, debian-lts@lists.debian.org

Hi security team,

looking at the above CVE I wonder if this shouldn't be no-dsa
(postponed). The memory is allocated during new which can fail and
there's basically no sane default to cap the reservation at a sane
value. Running with 'ASAN_OPTIONS=allocator_may_return_null=1' gives a

    convert: unable to open image `Cannot read image file "./test.exr". Cannot read image file "./test.exr". Unexpected end of file.': Success @ error/exr.c/ReadEXRImage/206.
    convert: no images defined `./1.png' @ error/convert.c/ConvertImageCommand/3258.

O.k. to mark no-dsa(postponed) in all jessie/stretch? I've added a
comment to the upstream bug but maybe this should even be rejected. Or
am I missing something?

Cheers,
 -- Guido

Reply to:

Prev by Date: Contact maintainers via bts [was Re: Debconf 2017 LTS BoF Summary]
Next by Date: Re: [PATCH 3/3] report-vuln: Support generation of mail headers
Previous by thread: Contact maintainers via bts [was Re: Debconf 2017 LTS BoF Summary]
Next by thread: [PATCH] report-vuln: allow to invoke mailer
Index(es):
- Date
- Thread