Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Sep 2015 18:01:39 +0200
From: Stefan Cornelius <>
Subject: Re: CVE Request: Use-after-free in optipng 0.6.4

On Wed, 16 Sep 2015 08:11:03 -0300
Gustavo Grieco <> wrote:

> We found a use-after-free causing an invalid/double free in optipng
> 0.6.4. Upstream is working in fixing it but keep in mind that optipng
> 0.6.x is officially unsupported. A CVE will be useful since such
> version is included in distros like Debian and Ubuntu. Please find
> attached the test case to trigger it. 


For some reason the attached image test case didn't make it through.
Gustavo was kind enough to email me a copy and asked me to add it to
our bug for easy public access.

Direct link:

Our bug for this issue is here:

PS: FYI, "On September 20th, 2015, 0:00 UTC we will be upgrading the Red
Hat Bugzilla servers in a migration process lasting 10 to 14 hours."

Stefan Cornelius / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ