CVE-2017-14988 in openexr
Hi security team,
looking at the above CVE I wonder if this shouldn't be no-dsa
(postponed). The memory is allocated during new which can fail and
there's basically no sane default to cap the reservation at a sane
value. Running with 'ASAN_OPTIONS=allocator_may_return_null=1' gives a
convert: unable to open image `Cannot read image file "./test.exr". Cannot read image file "./test.exr". Unexpected end of file.': Success @ error/exr.c/ReadEXRImage/206.
convert: no images defined `./1.png' @ error/convert.c/ConvertImageCommand/3258.
O.k. to mark no-dsa(postponed) in all jessie/stretch? I've added a
comment to the upstream bug but maybe this should even be rejected. Or
am I missing something?
Cheers,
-- Guido
Reply to: