oss-sec mailing list archives
Re: CVE requests: some issues in gif2webp
From: cve-assign () mitre org
Date: Thu, 27 Oct 2016 03:06:55 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
* NULL pointer derreference Bug report: https://bugs.chromium.org/p/webp/issues/detail?id=310 (private) Fix: https://chromium.googlesource.com/webm/libwebp/+/806f6279aef4de8deca01c8e727db4a508716e95
As far as we can tell, what you mean is that gif2webp is a command-line program that only operates on one GIF input file, and if there's crafted EXTENSION_RECORD_TYPE data, the program will crash with a NULL pointer derreference. That would not be a security impact for purposes of CVE. The user can work around the bug by not running gif2webp again on the crafted file.
* Several integer overflows: Report: https://bugs.chromium.org/p/webp/issues/detail?id=314 (private) Fix: https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83
Use CVE-2016-9085 for everything fixed by e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYEacxAAoJEHb/MwWLVhi2fd0P/3D1sCCixX4yrhproI1v4VJr d3iKMxA1uSkyqArZ6AMAnvo3iH/SmVLp9SGs/uXsCeml2CxxuzsDB6X+nlIYZArG 6OcZ70JEDv4YJXj6eUdg0Xco8Xxjv08v4RvohqVMvxuQIF+8LLHJGz5NH4mOCviT Q79TBF4ZSmb33UdT1CqT8OZYL/LokPXnXrGk4CiwL1CZ4Ku3GiSZuOz7J4hDPbEd +k/6x+PuJd2z8uc6XZ4di136z5fbbgufvl4ZTR5W8nXNU2PnbF+9FSvxYInymXUt 91JdLnkQ1V83LzuNJxwUoIouSe9EOiz1zwOeSOYaYOV8WHkXLw0YpOeCe6L1rj3G llXaQm00azGoIe3M4auH2lGUTqpRO14ZaX8zRnN2pnIKEmnHJ+98nzyr8RHPQgh/ vhoqLWvgtxQaefgWOa6bMfqXojwoUTT/b/r4SAt9WTYm4YvKoL+OO/TpQrvs5GdA w2oihWIRlDO2ncbHhUzQ6fjCmWjVxPElYquVXG0urhyqNyLcVf79o25nG/fMyd5V lDLE219oqXtuCZtbVOJkafVz2YlOAQhog0YKyyt9xS2OQf9tsX/lIz+a2q2VAIMT g+rxQ+2s2BEVfpj26cexvEpj71XMQjW5OuK6CM0ENqj2sklxCS2gVUTsKN6M5z4p LkH4PQK8xJyle9iiKwS/ =Ra2B -----END PGP SIGNATURE-----
Current thread:
- CVE requests: some issues in gif2webp Gustavo Grieco (Oct 26)
- Re: CVE requests: some issues in gif2webp cve-assign (Oct 27)