oss-sec mailing list archives
Re: dcraw and CVE-2015-8366 + CVE-2015-8367
From: Ian Zimmerman <itz () primate net>
Date: Thu, 1 Dec 2016 09:15:35 -0800
On 2016-10-16 00:50, Ben Woods wrote:
I noticed you mentioned in the mailing list post below that "CVE-2015-8366 will be fixed in v9.27" - did that end up getting fixed in 9.27? How about CVE-2015-83667?
CVE-2015-8366 Index overflow in smal_decode_segment https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2
CVE-2015-8367 Memory objects are not intialized properly https://github.com/LibRaw/LibRaw/commit/490ef94d1796f730180039e80997efe5c58db780
Since there has been no reply here, I examined the source for dcraw 9.27, and as far as I can see neither of these issues is addressed by it. Of course, the author has the final word. -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Current thread:
- dcraw and CVE-2015-8366 + CVE-2015-8367 Ben Woods (Oct 15)
- Re: dcraw and CVE-2015-8366 + CVE-2015-8367 Ian Zimmerman (Dec 01)