oss-sec mailing list archives
Re: Information on CVE-2014-0158, openjpeg
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Wed, 02 Apr 2014 14:32:33 +0530
On 04/02/2014 02:01 PM, Raphael Geissert wrote:
Hi, I just became aware of CVE-2014-0158[1], which was recently assigned to openjpeg. Looking at the proposed patch (as the description is rather brief), it seems to me that it is a dup of one of the bugs covered by CVE-2013-1447.
You are correct, i just realised that this issue is already patched when i looked at those issues.
Quoting from my post to oss-security:5. null pointer dereferences, division by zero, and anything thatwould just fit as DoS (CVE-2013-1447)[listing the group of issues and attachments] 5. [...] segfault6.patchWhich is exactly what is being commented about in [2], a copy of which is also available at [3]. IIRC without that patch some of the structures were not initialized and applications (like the ones shipped by openjpeg itself) would try to dereference NULL pointers, and just crash - no memory write was involved. Or is there more into CVE-2014-0158 that I might be missing?
I dont agree with this being only a crash. I put some details at: https://bugzilla.redhat.com/show_bug.cgi?id=1082925#c1 Anyway, this CVE is a dupe, MITRE could you please reject this CVE? -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Current thread:
- Information on CVE-2014-0158, openjpeg Raphael Geissert (Apr 02)
- Re: Information on CVE-2014-0158, openjpeg Huzaifa Sidhpurwala (Apr 02)
- Re: Information on CVE-2014-0158, openjpeg Raphael Geissert (Apr 02)
- Re: Information on CVE-2014-0158, openjpeg Huzaifa Sidhpurwala (Apr 02)