Date: Sun, 23 Oct 2016 09:45:37 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c) (Incomplete fix for CVE-2016-8690) On Saturday 22 October 2016 21:02:46 cve-assign@...re.org wrote: > > https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereferenc > > e-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690 > > > > AddressSanitizer: SEGV on unknown address 0x000000000000 > > 0x7f90527a18fd in bmp_getdata ... > > jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5 > Use CVE-2016-8884. > > > AddressSanitizer: SEGV on unknown address 0x000000000000 > > 0x7f888b2f5a43 in bmp_getdata ... > > jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5 > Use CVE-2016-8885. > > -- > CVE Assignment Team > M/S M300, 202 Burlington Road, Bedford, MA 01730 USA > [ A PGP key is available for encrypted communications at > http://cve.mitre.org/cve/request_id.html ] Hello Mitre, the previous assignment on this issue was about only one CVE ( see http://www.openwall.com/lists/oss-security/2016/10/16/18 ) We sayd that the cause of the two null pointer access was the same. Now for completeness I posted the stacktrace of both locations in bmp_dec.c but I guess that the root cause remains the same. Do you need to reject one of these two or it is fine as is? -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ