[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DSA-4160-1 libevt -- security update



>From the CVE Team at Mitre

"The vulnerability description for the entry in the CVE corpus does
not mention code execution
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8754).  You
will need to consult Debian as to why that make that claim."

Debian security team, please elaborate



On Mon, Apr 2, 2018 at 4:51 PM, Joachim Metz <joachim.metz@gmail.com> wrote:
> I'm the maintainer of libevt, this security issue
> (https://www.debian.org/security/2018/dsa-4160) was brought to my
> attention.
>
> It was discovered that insufficient input sanitising in libevt, a
> library to access the Windows Event Log (EVT) format, could result in
> denial of service or the execution of arbitrary code if a malformed
> EVT file is processed.
>
> "the execution of arbitrary code"
>
> where is the proof of these claims?
>
> the bug is a heap read out of bounds until now I've not seen proof of
> possible exploitation.


Reply to: