[Pkg-phototools-devel] Bug#831814: Bug#831814: lepton: CVE-2016-6234 CVE-2016-6235 CVE-2016-6236 CVE-2016-6237 CVE-2016-6238

ChangZhuo Chen (=?UTF-8?Q?=E9=99=B3=E6=98=8C=E5=80=AC?=) czchen at debian.org
Fri Jul 22 01:39:38 UTC 2016 

On Tue, Jul 19, 2016 at 07:48:33PM +0200, Salvatore Bonaccorso wrote:
> Source: lepton
> Version: 1.0-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> 
> Hi,
> 
> Multiple issues were found in lepton. The CVE request was at
> http://www.openwall.com/lists/oss-security/2016/07/17/1 referencing
> https://github.com/dropbox/lepton/issues/26 (note to compile with
> address sanitizer to reproduce the issues).
> 
> lepton got several CVE assigned in subsequent
> http://www.openwall.com/lists/oss-security/2016/07/17/6
> 
> I'm not sure if current master fixes all the reported cases from #26.

Hi,

I tested all samples in GitHub #26 and the error outputs change from
ASSERTION_FAILURE to UNSUPPORTED_JPEG in 1.2.1, so I think the issue is
solved in that version.


% lepton global_bof.jpeg    
lepton v1.0-
header information is incomplete6556934 bytes needed to decompress this
file
::::BILL::::
EXP1_EDGE: 268435456.0 vs 0.0 = 0.0%
SIGN_EDGE: 268435456.0 vs 0.0 = 0.0%
EXP1_DC: 268435456.0 vs 0.0 = 0.0%
SIGN_DC: 268435456.0 vs 0.0 = 0.0%
Overall 7x7: 0.0 vs 0.0 = 0.0%
Overall Edge: 536870912.0 vs 0.0 = 0.0%
Overall DC: 536870912.0 vs 0.0 = 0.0%
Overall Misc: 0.0 vs 0.0 = 0.0%
Total: 1073741824.0 vs 0.0 = 0.0%
::::::::::::
ASSERTION_FAILURE
SHORT_READ%                                                                                                                                                                                             
% ~/src/debian/lepton/lepton global_bof.jpeg
lepton v1.0-
14882054 bytes needed to decompress this file
UNSUPPORTED_JPEG
SHORT_READ


-- 
ChangZhuo Chen (陳昌倬) <czchen at debian.org>
Debian Developer (https://nm.debian.org/public/person/czchen)
Key fingerprint = EC9F 905D 866D BE46 A896  C827 BE0C 9242 03F4 552D
                  BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-phototools-devel/attachments/20160722/e4b998ba/attachment.sig>

More information about the Pkg-phototools-devel mailing list