Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Sep 2015 09:54:59 -0500
From: Mark Felder <feld@...d.me>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Use-after-free in optipng 0.6.4



On Wed, Sep 16, 2015, at 06:11, Gustavo Grieco wrote:
> We found a use-after-free causing an invalid/double free in optipng
> 0.6.4.
> Upstream is working in fixing it but keep in mind that optipng 0.6.x is
> officially unsupported. A CVE will be useful since such version is
> included
> in distros like Debian and Ubuntu. Please find attached the test case to
> trigger it. The valgrind report is here:
> 

Is 0.6.5 affected? I would assume it is since you said upstream is
working on a patch...

-- 
  Mark Felder
  feld@...d.me

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ