oss-sec mailing list archives
Re: Re: Fuzzing jasper
From: Graham Christensen <graham () grahamc com>
Date: Sun, 16 Oct 2016 10:23:43 +0000
For what it is worth, Jasper has recently issued a release fixing many CVEs, and would likely appreciate these fussing results as bug reports on their github project: https://github.com/mdadams/jasper/ On Sat, Oct 15, 2016 at 11:21 PM <cve-assign () mitre org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256AddressSanitizer: SEGV on unknown address 0x527ebf in bmp_getdata ...jasper-1.900.1/src/libjasper/bmp/bmp_dec.c:383:5AddressSanitizer: SEGV on unknown address 0x528252 in bmp_getdata ...jasper-1.900.1/src/libjasper/bmp/bmp_dec.c:385:5 Use CVE-2016-8690 for both of these (the first and fifth items in the http://www.openwall.com/lists/oss-security/2016/08/23/6 post).AddressSanitizer: FPE on unknown address 0x56de63 in jpc_dec_process_siz ...jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:1195:17 Use CVE-2016-8691.AddressSanitizer: FPE on unknown address 0x56dee3 in jpc_dec_process_siz ...jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:1197:18 Use CVE-2016-8692.AddressSanitizer: attempting double-free 0x51f8f8 in mem_close ...jasper-1.900.1/src/libjasper/base/jas_stream.c:1073:3 Use CVE-2016-8693. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYAu2GAAoJEHb/MwWLVhi2D2wQAI6W9/5UOJJD9vMc25GdYVGo Is0tX/21v2ibFpgyAAHBLaQd1ohNeu9U5Y6Nj9lAYAydmcoEZrXX9FxEMNp6XlI3 ybIDOapRLsjqLovdEzZUEnEDiHWAFS/t/p4hZv67PB7fHWKkeA3QhthSf3OlGVNm IDQX8jMzhb96ZLS9aq5Hlz28K2z2Bx9j08WXQ0Fkp2ksMOCdNF0QwRp1TuA7Ork8 gtxNSVS+r8oAwWBH9fdwU8d9rgBoh0nkMVt9PJex5Hd4ys8CrOS6gBBc9HqDcxdc bVdYRUuNbXJjZdlOcfQU37a6MyWJ0gCmCp6xs7u1joAnNmzT9C894xLInJFzx37n JVqNBMltWgkkp1ClyVIdkRJErif2JstRpL59JBaMXgSRD0ZCZRsMrehc6SobX0A1 iUGxdjG/jpP7c8ZPaC2SS/1y0cEpP7CsbDFliZaGxt6QcKOfNqs33L3DSuc7qn0d OJIH4GMNlZQFgf7+c67+ZSi86HVmTda9DJjm2a9uqU7tKKE/kJWC9OyWTef9K0aJ 1HAu1yNjgGmc/oIIMCk/8wNO4UqlHiXhcF/kjWUBc4/eTAPxYLHSH5703HTStaVU EN0ONeBMsfx6lhZgoJqDC+ItztjnDR90VGJyrH98XoEn+3KzjGkgEeaYv/N/mUfw Q/58lzCKYeVI4ovM1u+J =1lOZ -----END PGP SIGNATURE-----
Current thread:
- Re: Fuzzing jasper cve-assign (Oct 15)
- Re: Re: Fuzzing jasper Graham Christensen (Oct 16)
- Re: Re: Fuzzing jasper Agostino Sarubbo (Oct 16)
- Re: Re: Fuzzing jasper Hanno Böck (Oct 16)
- Re: Re: Fuzzing jasper Agostino Sarubbo (Oct 17)
- Re: Fuzzing jasper cve-assign (Oct 22)
- Re: Fuzzing jasper cve-assign (Oct 23)
- <Possible follow-ups>
- Re: Fuzzing jasper Agostino Sarubbo (Oct 16)
- Re: Re: Fuzzing jasper Graham Christensen (Oct 16)