Date: Sat, 19 Sep 2015 18:01:39 +0200 From: Stefan Cornelius <scorneli@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: Use-after-free in optipng 0.6.4 On Wed, 16 Sep 2015 08:11:03 -0300 Gustavo Grieco <gustavo.grieco@...il.com> wrote: > We found a use-after-free causing an invalid/double free in optipng > 0.6.4. Upstream is working in fixing it but keep in mind that optipng > 0.6.x is officially unsupported. A CVE will be useful since such > version is included in distros like Debian and Ubuntu. Please find > attached the test case to trigger it. Hi, For some reason the attached image test case didn't make it through. Gustavo was kind enough to email me a copy and asked me to add it to our bug for easy public access. Direct link: https://bugzilla.redhat.com/attachment.cgi?id=1075212 Our bug for this issue is here: https://bugzilla.redhat.com/show_bug.cgi?id=1264015 PS: FYI, "On September 20th, 2015, 0:00 UTC we will be upgrading the Red Hat Bugzilla servers in a migration process lasting 10 to 14 hours." Thanks, -- Stefan Cornelius / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ