Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 12 May 2016 18:09:46 +0800
From: WinsonLiu <stackexploit@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: CVE Request - OpenJPEG: Security Fixes

>
> Hi,
>
>
>> Some security issues of OpenJPEG have been fixed. Please consider
>> assigning CVE numbers to them.
>
>
>> 2. Issue 775
>
> OpenJPEG Out-of-Bounds Access in function opj_tgt_reset of tgt.c
>
> Fixed via
>> https://github.com/uclouvain/openjpeg/commit/1a8318f6c24623189ecb65e049267c6f2e005c0e
>
>
> Is that a different issue than CVE-2016-1924?
>

Hi Moritz,

You are right. Issue 775 was a duplicate of CVE-2016-1924.

I didn't notice that limingxing has been reported this issue (reported at
http://seclists.org/oss-sec/2016/q1/128 and assigned CVE-2016-1924). I have
tested the proof-of-concept file supplied by limingxing and confirmed that
issue 775 was a duplicate of CVE-2016-1924. It seems that limingxing did
not report it to the official developers because I could not find any
information about this issue on GitHub and the official developers did not
fix it for a long time. I thought this was a new issue and reported it to
them after I did some fuzz testing. Anyway, this issue has been fixed by
the official developers now.

Regards,
Ke Liu of Tencent's Xuanwu LAB

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ