[Debian-astro-maintainers] Bug#1087911:

Ajin Deepak ajindeepak0007 at gmail.com
Thu Nov 21 14:32:08 GMT 2024


Ajin Deepak <ajindeepak0007 at gmail.com>
7:59 PM (2 minutes ago)
to Debian
Hi,

Thank you for your response and for sharing your perspective on this issue.
I understand your concerns regarding the severity classification of the
memory leak in dcraw. Allow me to provide some additional context and
justification for treating this as a medium to critical issue. While dcraw is
a standalone CLI tool, it can be integrated into other software. For
example, I saw RawTherapee using dcraw.
https://github.com/Beep6581/RawTherapee?tab=readme-ov-file

Address leaks or memory leaks in tools like dcraw could expose sensitive
memory data when run in multi-user systems, potentially aiding attackers in
other exploits such as bypassing ASLR.
https://security.stackexchange.com/questions/22989/how-leaking-pointers-to-bypass-dep-aslr-works

Let me show you an similar CVE which had a memory leak
https://www.cve.org/CVERecord?id=CVE-2024-7526

You can find a number of them in cve.org.

There are a lot of CVEs for CLI tools. For example:

   - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4799
   - https://www.cve.org/CVERecord?id=CVE-2024-7867


I understand your concern and thanks for your patience
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-astro-maintainers/attachments/20241121/890419af/attachment-0001.htm>


More information about the Debian-astro-maintainers mailing list