oss-sec mailing list archives
Re: A bunch of duplicate CVEs requested for?? bho..
From: Agostino Sarubbo <ago () gentoo org>
Date: Tue, 29 Aug 2017 15:49:46 +0200
Another recent example by owl337: https://nvd.nist.gov/vuln/detail/CVE-2017-13737 which points to: https://bugzilla.redhat.com/show_bug.cgi?id=1484196 There is an invalid free in the MagickFree function in magick/memory.c in GraphicsMagick 1.3.26 that will lead to a remote denial of service attack. The maintainer of Graphicsmagick, Mr Bob Friesenhahn said to me: "It looks like this problem is not a GM bug but it is already fixed in libtiff. Using latest libtiff CVS sources I see this in the GM traces which are produced by libtiff: 08:41:48 0:01 0.000u 25164 tiff.c/unknown/2268/Coder: Allocating scanline buffer of 104 bytes 08:41:48 0:01 0.000u 25164 tiff.c/unknown/932/Coder: TIFF Warning: Discarding 89 bytes to avoid buffer overrun. 08:41:48 0:01 0.000u 25164 tiff.c/unknown/932/Coder: TIFF Warning: Discarding 16 bytes to avoid buffer overrun. 08:41:48 0:01 0.000u 25164 tiff.c/unknown/932/Coder: TIFF Warning: Discarding 1 bytes to avoid buffer overrun. 08:41:48 0:01 0.000u 25164 tiff.c/unknown/932/Coder: TIFF Warning: Terminating PackBitsDecode due to lack of data.. 08:41:48 0:01 0.000u 25164 tiff.c/unknown/793/Coder: Not enough data for scanline 3. (PackBitsDecode) I am not sure what libtiff Red Hat is using. It may be that the changes are since the latest libtiff release. I could help with that by making another libtiff release." -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Bob Friesenhahn (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Kurt Seifried (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Henri S. (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: [scr379303] A bunch of duplicate CVEs requested for?? bho.. cve-request (Aug 29)
- Re: Re: [scr379303] A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)