[Git][security-tracker-team/security-tracker][master] CVE-2020-18832 does not affect buster
Bastien Roucariès (@rouca)
rouca at debian.org
Fri Sep 29 16:21:42 BST 2023
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d70320a9 by Bastien Roucariès at 2023-09-29T15:20:16+00:00
CVE-2020-18832 does not affect buster
Code was refactored after buster in order to read chunked png.
Poc was tested under vlagrind and fail gracefuly without leak and out of bound read
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -232124,6 +232124,7 @@ CVE-2020-18832
RESERVED
CVE-2020-18831 (Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cp ...)
- exiv2 0.27.2-6
+ [buster] - exiv2 <not-affected> (exiv2 -pR flags introduced later and poc fail with "Exiv2 exception in print action for file poc.png". Introduced later by chunked read.)
NOTE: https://github.com/Exiv2/exiv2/issues/828
NOTE: https://github.com/Exiv2/exiv2/pull/862
NOTE: https://github.com/Exiv2/exiv2/commit/6068df4c01ce915befb763bd0fd718d16a5df130 (v0.27.2-RC1)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d70320a9873a3f717ed567ae1688e142be6b85f4
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d70320a9873a3f717ed567ae1688e142be6b85f4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230929/c235f70d/attachment.htm>
More information about the debian-security-tracker-commits
mailing list