Re: dcraw and CVE-2015-8366 + CVE-2015-8367

[Ian Zimmerman <itz () primate net>]

On 2016-10-16 00:50, Ben Woods wrote:

> I noticed you mentioned in the mailing list post below that "CVE-2015-8366
> will be fixed in v9.27" - did that end up getting fixed in 9.27? How about
> CVE-2015-83667?

> CVE-2015-8366
> Index overflow in smal_decode_segment
> https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2

> CVE-2015-8367
> Memory objects are not intialized properly
> https://github.com/LibRaw/LibRaw/commit/490ef94d1796f730180039e80997efe5c58db780

Since there has been no reply here, I examined the source for dcraw
9.27, and as far as I can see neither of these issues is addressed by
it.  Of course, the author has the final word.

-- 
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html