Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 17 Jan 2017 12:11:07 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: jasper: invalid memory write in dec_clnpass
 (jpc_t1dec.c)

On Tue, Jan 17, 2017 at 11:33:28AM +0100, Agostino Sarubbo wrote:
> On Monday 16 January 2017 19:08:48 cve-assign@...re.org wrote:
> > > []
> > > https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-write-in-de
> > > c_clnpass-jpc_t1dec-c
> > > 
> > > AddressSanitizer: SEGV on unknown address
> > > The signal is caused by a WRITE memory access.
> > > 
> > > dec_clnpass ... jasper-1.900.27/src/libjasper/jpc/jpc_t1dec.c:869:4
> > 
> > Use CVE-2017-5503.
> > 
> > 
> > --
> > CVE Assignment Team
> > M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> > [ A PGP key is available for encrypted communications at
> >   http://cve.mitre.org/cve/request_id.html ]
> 
> The previous mail clearly state:
> > Timeline:
> > 2016-11-20: bug discovered and reported to upstream
> 
> Why a CVE-2017-* ?

Where was that reported upstream? Please add the bug numbers to your
advisories.

Cheers,
        Moritz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.