|
Date: Fri, 9 Sep 2016 10:45:38 -0400 (EDT) From: cve-assign@...re.org To: chenqin@...sec.com.cn Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for webp:index overflow,used by memcpy later -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Product: A new image format for the Web:Webp > in function:ReadFunc > > fixed here: > https://chromium-review.googlesource.com/#/c/355380/ > https://cr-rev.appspot.com/bb50bf42b0a39bc378401a2d5d8eaa678813a92f Do you know whether Google already assigned a CVE ID to this issue? If not, do you have access to any of the Google web pages that might contain the CVE ID if it exists? An attempt to retrieve the above cr-rev.appspot.com URL results in: Location: https://chromium.googlesource.com/chromium/src/+/bb50bf42b0a39bc378401a2d5d8eaa678813a92f and that second URL results in: 404 Not Found Also, https://chromium-review.googlesource.com/#/c/355380/ refers to https://bugs.chromium.org/p/webp/issues/detail?id=302 but that is currently not a public bug page. Finally, https://chromium-review.googlesource.com/#/c/355380/ indicates that this is an issue in the examples/pngdec.c file. A crash bug in an example program does not necessarily qualify for a CVE ID. However, in this case, examples/pngdec.c is apparently used to build a library called libexample_dec, and it's conceivable that arbitrary applications rely on libexample_dec. (It also seems unlikely that a Google product relies on libexample_dec; that may be a reason that Google did not assign a CVE ID.) - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJX0sqnAAoJEHb/MwWLVhi2E28QALdM2bA72+4irx6Sh61s5JsS rToRlvwZpIS5vvDm4TQQOhnviGTGSbUhwuA30p/0Xb8/35gKIhV70QLxIDLZPmHj gTBowDLV5ffddz5mVkL2cXMnecChuT1v2QsO4jW4WCx/yZoDYrDKTbPiwUENb/pU I6jg4k1uOJYpvLnPFT56kXD4BDeApqFjAZEfgG7lcdSDIKGN/tNr4kiCsrUVGqE6 oZyQFJz/BvWmncIEcTBkc7aHxXsUdt6rSMuL5QyapilGBclj7M5NmK82Bq+SDNfD QTVX1fp7gCL8NNDI1SJKBjX/KEp4bGp4NKavifxaZmEn5pq2vBp4uItD/5rn0m6T nvp7Zvztv0YgdBrlY5M1fhhEo3YFO0+x+NXkBfsi8sbV1G+jQaG1jmjYPQHJaa2e A/fMInUDO+XqtJBnUPXTM+ZKINj6hH63ar+xi+Dsva8ri++kNooFlMeabpKw7AmQ +X1RWDqDbWD9sBneG4MBhem3mZRbmvwQGLyBDO84Zxqq4a55ymA+wjz//La00Vn1 G5Qo6rhZFEIUWyqdTkeCE6DLuTtq0xopa+B70WI+MSrq3Bi4QGYNFylyBFURgxns qzXbRUNqx1F6IrdsljMSyhzB9xwMD6EZUoEiRqFQYt/BDXfk3JqyP6bfapE8ZcyA jYF48PtLBOUE6wVh0UJi =scJU -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.