[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2019-14866

Hi

Ok, thank you. Then I'll use the version Thomas used for Debian old and oldold stable. I'll use that as I have tested it already and it is easier to read for someone wanting to compare the difference compared to an older version.

Best regards

// Ola

On Mon, 4 Nov 2019 at 21:25, Sergey Poznyakoff <gray@gnu.org.ua> wrote:
Hi Ola,

> Hi Sergey
>
> I can see that the fix is quite different from the one Thomas proposed. Do
> I understand correctly that this fix go around the problem in a different
> way?

Not quite so.  It takes basically the same approach as the fix Thomas
proposed, but also removes unnecessary code duplication and ensures
informative error diagnostics.

> I do not see any explicit value > 0 check.

See the return from the to_ascii function.

> it looks like the fix allows larger file sizes

No, of course all size limits remain the same,

Regards,
Sergey


--
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to: