Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1754691.K3Z88V5ftk@arcadia>
Date: Sun, 23 Oct 2016 09:45:37 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c) (Incomplete fix for CVE-2016-8690)

On Saturday 22 October 2016 21:02:46 cve-assign@...re.org wrote:
> > https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereferenc
> > e-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690
> > 
> > AddressSanitizer: SEGV on unknown address 0x000000000000
> > 0x7f90527a18fd in bmp_getdata ...
> > jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5
> Use CVE-2016-8884.
> 
> > AddressSanitizer: SEGV on unknown address 0x000000000000
> > 0x7f888b2f5a43 in bmp_getdata ...
> > jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5
> Use CVE-2016-8885.
> 
> --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   http://cve.mitre.org/cve/request_id.html ]

Hello Mitre,

the previous assignment on this issue was about only one CVE ( see 
http://www.openwall.com/lists/oss-security/2016/10/16/18 )

We sayd that the cause of the two null pointer access was the same.

Now for completeness I posted the stacktrace of both locations in bmp_dec.c 
but I guess that the root cause remains the same.

Do you need to reject one of these two or it is fine as is?


-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.