Re: DSA-4160-1 libevt -- security update
>From the CVE Team at Mitre
"The vulnerability description for the entry in the CVE corpus does
not mention code execution
will need to consult Debian as to why that make that claim."
Debian security team, please elaborate
On Mon, Apr 2, 2018 at 4:51 PM, Joachim Metz <firstname.lastname@example.org> wrote:
> I'm the maintainer of libevt, this security issue
> (https://www.debian.org/security/2018/dsa-4160) was brought to my
> It was discovered that insufficient input sanitising in libevt, a
> library to access the Windows Event Log (EVT) format, could result in
> denial of service or the execution of arbitrary code if a malformed
> EVT file is processed.
> "the execution of arbitrary code"
> where is the proof of these claims?
> the bug is a heap read out of bounds until now I've not seen proof of
> possible exploitation.