Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Sep 2015 18:01:39 +0200
From: Stefan Cornelius <>
Subject: Re: CVE Request: Use-after-free in optipng 0.6.4

On Wed, 16 Sep 2015 08:11:03 -0300
Gustavo Grieco <> wrote:

> We found a use-after-free causing an invalid/double free in optipng
> 0.6.4. Upstream is working in fixing it but keep in mind that optipng
> 0.6.x is officially unsupported. A CVE will be useful since such
> version is included in distros like Debian and Ubuntu. Please find
> attached the test case to trigger it. 


For some reason the attached image test case didn't make it through.
Gustavo was kind enough to email me a copy and asked me to add it to
our bug for easy public access.

Direct link:

Our bug for this issue is here:

PS: FYI, "On September 20th, 2015, 0:00 UTC we will be upgrading the Red
Hat Bugzilla servers in a migration process lasting 10 to 14 hours."

Stefan Cornelius / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.