[Pkg-phototools-devel] Bug#874118: CVE-2017-14039: Heap-based buffer overflow in opj_t2_encode_packet function in lib/openjp2/t2.c

Mathieu Malaterre malat at debian.org
Mon Oct 16 19:22:41 UTC 2017

Hi Salvatore,

This is the second time you /saved/ me (sorry for my limited Spanish) :)

On Mon, Oct 16, 2017 at 7:12 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
> Hello Mathieu,
> On Mon, Oct 16, 2017 at 06:12:30PM +0200, Mathieu Malaterre wrote:
>> Control: severity -1 important
>> While I understand the this generic heap based buffer overflow ought
>> to be fixed in Debian stable, I fail to see why it is marked as
>> affecting stretch.
> [...]
> In my initial report I wrote: "The issue is covered by [3], so trying
> to reproduce the issue leads to an assertion failure up to the version
> in sid instead."
> My point was, yes if you try to reproduce with current version you
> will reach the assertion, because it's yet covered by the missing
> commit 4241ae6fbbf1de9658764a80944dc8108f2b4154. Applying that as well
> shows the underlying issue.

Indeed I missed your carefully written bug report(s). Can't believe I
could not use one of those fancy AI to figure out the
whitespace/indent changes to merge those original commits.

Anyway I've manually fixed all those. Pushed +deb9u2 a moment ago.

Thanks again for your bug report(s) they contained all the details needed.


More information about the Pkg-phototools-devel mailing list