oss-sec mailing list archives
dcraw and CVE-2015-8366 + CVE-2015-8367
From: Ben Woods <woodsb02 () gmail com>
Date: Sun, 16 Oct 2016 00:50:36 +0800
Hi Dave, I was wondering if you could comment on whether dcraw is affected by these 2 CVEs and whether new versions have been released which remove the vulnerability? I noticed you mentioned in the mailing list post below that "CVE-2015-8366 will be fixed in v9.27" - did that end up getting fixed in 9.27? How about CVE-2015-83667? http://seclists.org/oss-sec/2016/q1/526 CVE-2015-8366 Index overflow in smal_decode_segment Fixed in LibRaw by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 CVE-2015-8367 Memory objects are not intialized properly Fixed in LibRaw by: https://github.com/LibRaw/LibRaw/commit/490ef94d1796f730180039e80997efe5c58db780 Thanks for your help. Regards, Ben -- From: Benjamin Woods woodsb02 () gmail com
Current thread:
- dcraw and CVE-2015-8366 + CVE-2015-8367 Ben Woods (Oct 15)
- Re: dcraw and CVE-2015-8366 + CVE-2015-8367 Ian Zimmerman (Dec 01)