Date: Thu, 8 Sep 2016 07:33:43 +0000 From: winsonliu(刘科) <winsonliu@...cent.com> To: cve-assign <cve-assign@...re.org> CC: cve-assign <cve-assign@...re.org>, oss-security <oss-security@...ts.openwall.com> Subject: Re: Re: CVE Request: OpenJPEG Heap Buffer Overflow Issue(Internet mail) > e078172b1c3f98d2219c37076b238fb759c751ea modifies tcd.c not dwt.c - is this still the correct commit? Yes, the issue was triggered in dwt.c but can be fixed in tcd.c. > Is it the same as Chromium bug 632622 that was already assigned CVE-2016-5157? I think so. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I reported a security issue of OpenJPEG some days ago and it has been > fixed now. The fix is available at > https://github.com/uclouvain/openjpeg/commit/e078172b1c3f98d2219c37076b238fb759c751ea > > A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in > function opj_dwt_interleave_v of dwt.c. This vulnerability allows > remote attackers to execute arbitrary code on vulnerable installations > of OpenJPEG. > > AddressSanitizer: heap-buffer-overflow > WRITE of size 4 e078172b1c3f98d2219c37076b238fb759c751ea modifies tcd.c not dwt.c - is this still the correct commit? Also, is this the same vulnerability as the https://pdfium.googlesource.com/pdfium/+/b6befb2ed2485a3805cddea86dc7574510178ea9 (aka Chromium bug 632622) issue that was already assigned CVE-2016-5157 in the https://googlechromereleases.blogspot.com/2016/08/stable-channel-update-for-desktop_31.html post? - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJX0QmYAAoJEHb/MwWLVhi2JuIQAInY8Bed/W9wZwgmO4peepl7 lOJptN9utdMwCdYEug6NzCFjpcUslSmrBQcNdXEGMoPw5rku/Hw73sHNbhdfM71I TDU2OEwzSNQeo+4m/3rXMlYyHwOqHMp3owHQnl5JWJRcz6hhmI/JpokWxKncthtb rpywwao89VJZJf5GLF7RQFXvHwlREP+D3XYrW0cbqEfOrUAQ7oxK5OaFCa30NWrh ISJ4iDalfTeWr7x98Bb3X6v40dL7bkUtuWHnqFN+LwuBJL2MlJ74XmsdIDrSXGOf grrpU1sMGZ+yJhbc+4n6JcTxXI6/AWOaKqn/pkCG8UkNL/LxzuaGmIYguGecYh7V 2tc5e7IZ4IzCYNaRUKKLAtlfENMbOn8IqL0zFWXRoSzw7YcSw24s1A0hzEBiPonS cPWGhMYsu4bCmJmZZenuKNIKx/CuOZq+YgyFpXjowUxFGpZwOk9eVPnpmK8CRl7z kGaS33l9yElstG1gsPeGDxZYHtG09z/T/VrJWIHNieTMUOEO0LZf8+xG5bfXWC1A y5S6GCFOSM+8QrvPHgua4l8h7uAxbCVKlLqahOVhID83sCKKTWyxLGa+1FtPIsRH zTmEMeS0Q6JytXc7f2DitI9t/hEEh877xQLRWactOBmP19XdC+rCLcBZcoksK8UB 2osVa1EkAYD9ZVrCOo0i =CVgG -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.