-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-11553: illegal address access in the extend_alias_table function in localealias.c #54
Comments
I can confirm the crash with Git 31fc5d2 |
This has been fixed on master. I'll add the reproducer and check if it has been fixed on 0.26 too. |
Hi
On Wed, Oct 18, 2017 at 11:13:22PM +0000, D4N wrote:
This has been fixed on master. I'll add the reproducer and check if it has been fixed on 0.26 too.
Which commit in master fixes the issue?
|
I'll have to find out. This issue slipped through when I was fixing them. However, it won't be a single commit that fixes this issue. I guess you are the package maintainer of exiv2 for Debian? In that case, you'll get all the security fixes for all the CVEs from the 0.26 branch. We have backported only security fixes and the respective tests (although this will be only fully completed after #127 is merged). |
Added reproducer for #54 / CVE-2017-11592 to the test suite
I'm forwarding a security vulnerability reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1471772
The file used to reproduce the issue is here:
https://bugzilla.redhat.com/attachment.cgi?id=1299839
(this is rar archive containing the actual reproducer file)
Here's a copy of the report:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
The text was updated successfully, but these errors were encountered: