Date: Thu, 17 Sep 2015 09:54:59 -0500 From: Mark Felder <feld@...d.me> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: Use-after-free in optipng 0.6.4 On Wed, Sep 16, 2015, at 06:11, Gustavo Grieco wrote: > We found a use-after-free causing an invalid/double free in optipng > 0.6.4. > Upstream is working in fixing it but keep in mind that optipng 0.6.x is > officially unsupported. A CVE will be useful since such version is > included > in distros like Debian and Ubuntu. Please find attached the test case to > trigger it. The valgrind report is here: > Is 0.6.5 affected? I would assume it is since you said upstream is working on a patch... -- Mark Felder feld@...d.me
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ