Hi On Mon, Dec 04, 2017 at 08:27:13PM +0100, Salvatore Bonaccorso wrote: > Hi Markus, > > On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote: > > Package: src:libextractor > > Version: 1:1.6-1 > > Severity: important > > Tags: security > > > > Hi, > > > > while I was working on the security update for Wheezy I discovered > > that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600 > > and CVE-2017-15602. I could reproduce two segmentation faults with the > > provided POCs. They are attached to the upstream bug report: > > > > http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html > > http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html > > > > Just run "extract -i $POC" > > > > I'm attaching my gdb log files to this bug report. > > Since the issues happen in different places from the original reports, > can you request two new CVEs for those issues? > > So for tracking purposes these are two new raised issues, different > from CVE-2017-15600 and CVE-2017-15602 and would possibly require two > new ones. Can you as well report it to upstream in case Bertrand > cannot cime in? > > In case not let me know, and I can take care of it tomorrow.
Interestignly the issues you describe does not seem triggerable with a fresh build of 1.6 in sid (with --enable-shared=no, --enable-static=yes with -O0). sid:~/libextractor-1.6# ./src/main/extract -i ~/1338044 Keywords for file /root/1338044: sid:~/libextractor-1.6# ./src/main/extract -i ~/bin_6iRW3tXve.bin Keywords for file /root/bin_6iRW3tXve.bin: sid:~/libextractor-1.6# and neither with current HEAD (6c70420641fc1d081bcecf323671ca169b13a129). It is though with the Debian package (re)build. What is different? Regards, Salvatore