[Pkg-phototools-devel] Bug#874118: CVE-2017-14039: Heap-based buffer overflow in opj_t2_encode_packet function in lib/openjp2/t2.c

Salvatore Bonaccorso carnil at debian.org
Mon Oct 16 17:12:07 UTC 2017


Hello Mathieu,

On Mon, Oct 16, 2017 at 06:12:30PM +0200, Mathieu Malaterre wrote:
> Control: severity -1 important
> 
> While I understand the this generic heap based buffer overflow ought
> to be fixed in Debian stable, I fail to see why it is marked as
> affecting stretch.
[...]


In my initial report I wrote: "The issue is covered by [3], so trying
to reproduce the issue leads to an assertion failure up to the version
in sid instead."

My point was, yes if you try to reproduce with current version you
will reach the assertion, because it's yet covered by the missing
commit 4241ae6fbbf1de9658764a80944dc8108f2b4154. Applying that as well
shows the underlying issue.

Hope this helps!

Regards,
Salvatore



More information about the Pkg-phototools-devel mailing list