Date: Wed, 02 Apr 2014 14:32:33 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: Information on CVE-2014-0158, openjpeg On 04/02/2014 02:01 PM, Raphael Geissert wrote: > Hi, > > I just became aware of CVE-2014-0158, which was recently assigned > to openjpeg. > Looking at the proposed patch (as the description is rather brief), it > seems to me that it is a dup of one of the bugs covered by > CVE-2013-1447. > You are correct, i just realised that this issue is already patched when i looked at those issues. > Quoting from my post to oss-security: >> 5. null pointer dereferences, division by zero, and anything that > would just fit as DoS (CVE-2013-1447) > >> [listing the group of issues and attachments] >> 5. >> [...] >> segfault6.patch > > Which is exactly what is being commented about in , a copy of which > is also available at . > > IIRC without that patch some of the structures were not initialized > and applications (like the ones shipped by openjpeg itself) would try > to dereference NULL pointers, and just crash - no memory write was > involved. > > Or is there more into CVE-2014-0158 that I might be missing? > I dont agree with this being only a crash. I put some details at: https://bugzilla.redhat.com/show_bug.cgi?id=1082925#c1 Anyway, this CVE is a dupe, MITRE could you please reject this CVE? -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ