Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 Oct 2016 09:45:37 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c) (Incomplete fix for CVE-2016-8690)

On Saturday 22 October 2016 21:02:46 cve-assign@...re.org wrote:
> > https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereferenc
> > e-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690
> > 
> > AddressSanitizer: SEGV on unknown address 0x000000000000
> > 0x7f90527a18fd in bmp_getdata ...
> > jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5
> Use CVE-2016-8884.
> 
> > AddressSanitizer: SEGV on unknown address 0x000000000000
> > 0x7f888b2f5a43 in bmp_getdata ...
> > jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5
> Use CVE-2016-8885.
> 
> --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   http://cve.mitre.org/cve/request_id.html ]

Hello Mitre,

the previous assignment on this issue was about only one CVE ( see 
http://www.openwall.com/lists/oss-security/2016/10/16/18 )

We sayd that the cause of the two null pointer access was the same.

Now for completeness I posted the stacktrace of both locations in bmp_dec.c 
but I guess that the root cause remains the same.

Do you need to reject one of these two or it is fine as is?


-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ