[Secure-testing-commits] r45524 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Sun Oct 23 11:08:18 UTC 2016
Author: carnil
Date: 2016-10-23 11:08:18 +0000 (Sun, 23 Oct 2016)
New Revision: 45524
Modified:
data/CVE/list
Log:
Add commit reference for CVE-2016-8887
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-10-23 11:06:45 UTC (rev 45523)
+++ data/CVE/list 2016-10-23 11:08:18 UTC (rev 45524)
@@ -8,9 +8,10 @@
- jasper <not-affected> (Incomplete fix for CVE-206-8887 not applied)
NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00002-jasper-NULLptr-jp2_colr_destroy
NOTE: https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887
-CVE-2016-8887
+CVE-2016-8887 [NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)]
- jasper <unfixed>
NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c
+ NOTE: Fixed by: https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d (version-1.900.10)
NOTE: When fixing this issue look at the followup report
NOTE: https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887
NOTE: and include the fix to not make jasper vulnerable to the incomplete fix.
More information about the Secure-testing-commits
mailing list