Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 16 Oct 2016 00:50:36 +0800
From: Ben Woods <woodsb02@...il.com>
To: dcoffin@...ercom.net, oss-security@...ts.openwall.com
Subject: dcraw and CVE-2015-8366 + CVE-2015-8367

Hi Dave,

I was wondering if you could comment on whether dcraw is affected by these
2 CVEs and whether new versions have been released which remove the
vulnerability?

I noticed you mentioned in the mailing list post below that "CVE-2015-8366
will be fixed in v9.27" - did that end up getting fixed in 9.27? How about
CVE-2015-83667?
http://seclists.org/oss-sec/2016/q1/526

CVE-2015-8366
Index overflow in smal_decode_segment
Fixed in LibRaw by:
https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2


CVE-2015-8367
Memory objects are not intialized properly
Fixed in LibRaw by:
https://github.com/LibRaw/LibRaw/commit/490ef94d1796f730180039e80997efe5c58db780


Thanks for your help.

Regards,
Ben

--
From: Benjamin Woods
woodsb02@...il.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ