Date: Sun, 16 Oct 2016 00:50:36 +0800 From: Ben Woods <woodsb02@...il.com> To: dcoffin@...ercom.net, oss-security@...ts.openwall.com Subject: dcraw and CVE-2015-8366 + CVE-2015-8367 Hi Dave, I was wondering if you could comment on whether dcraw is affected by these 2 CVEs and whether new versions have been released which remove the vulnerability? I noticed you mentioned in the mailing list post below that "CVE-2015-8366 will be fixed in v9.27" - did that end up getting fixed in 9.27? How about CVE-2015-83667? http://seclists.org/oss-sec/2016/q1/526 CVE-2015-8366 Index overflow in smal_decode_segment Fixed in LibRaw by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 CVE-2015-8367 Memory objects are not intialized properly Fixed in LibRaw by: https://github.com/LibRaw/LibRaw/commit/490ef94d1796f730180039e80997efe5c58db780 Thanks for your help. Regards, Ben -- From: Benjamin Woods woodsb02@...il.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ