Date: Sat, 19 Sep 2015 18:01:39 +0200 From: Stefan Cornelius <scorneli@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: Use-after-free in optipng 0.6.4 On Wed, 16 Sep 2015 08:11:03 -0300 Gustavo Grieco <gustavo.grieco@...il.com> wrote: > We found a use-after-free causing an invalid/double free in optipng > 0.6.4. Upstream is working in fixing it but keep in mind that optipng > 0.6.x is officially unsupported. A CVE will be useful since such > version is included in distros like Debian and Ubuntu. Please find > attached the test case to trigger it. Hi, For some reason the attached image test case didn't make it through. Gustavo was kind enough to email me a copy and asked me to add it to our bug for easy public access. Direct link: https://bugzilla.redhat.com/attachment.cgi?id=1075212 Our bug for this issue is here: https://bugzilla.redhat.com/show_bug.cgi?id=1264015 PS: FYI, "On September 20th, 2015, 0:00 UTC we will be upgrading the Red Hat Bugzilla servers in a migration process lasting 10 to 14 hours." Thanks, -- Stefan Cornelius / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.