Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 26 Oct 2014 23:44:49 +0100
From: Hanno Böck <>
Subject: Re: Re: strings / libbfd crasher

Am Sun, 26 Oct 2014 18:05:01 -0400 (EDT)

> There is currently no CVE ID for the
> psa-dont-run-strings-on-untrusted-files.html "0xdeadbabe October 25,
> 2014 7:20 PM" comment about "another one related with PE file headers
> parsing." In general, a separate discovery that's potentially
> exploitable for code execution could have its own CVE ID. Does anyone
> want a CVE ID for that?

The information in the comment is a bit scarce, it seems he hasn't
published his sample (?).
Anyway I checked the radare2-testsuite he was pointing to and found a
crasher in the PE parser, I don't know if this is the same one, but I
reported it upstream:

As this is a write to uninitialized memory it seems to me a CVE is

Hanno Böck


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ