[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2017-14988 in openexr



Hi security team,

looking at the above CVE I wonder if this shouldn't be no-dsa
(postponed). The memory is allocated during new which can fail and
there's basically no sane default to cap the reservation at a sane
value. Running with 'ASAN_OPTIONS=allocator_may_return_null=1' gives a

    convert: unable to open image `Cannot read image file "./test.exr". Cannot read image file "./test.exr". Unexpected end of file.': Success @ error/exr.c/ReadEXRImage/206.
    convert: no images defined `./1.png' @ error/convert.c/ConvertImageCommand/3258.

O.k. to mark no-dsa(postponed) in all jessie/stretch? I've added a
comment to the upstream bug but maybe this should even be rejected. Or
am I missing something?

Cheers,
 -- Guido


Reply to: