On Thu, 23 Nov 2017, Antoine Beaupré wrote: > Fun times. So I'm stuck now - I reported the CVE issues upstream so > they're at least aware of the issue: > > https://github.com/Exiv2/exiv2/issues/174 > > ... but I am not sure what to do with the package in Wheezy. I'm tempted > to mark this as no-dsa because there's no upstream fix and we can't > reproduce, but I wonder if we should just mark it as not-affected > instead.
I would like to point out that those CVE are for fuzzing issues reported against 0.26 way before the last set of updates: - in my previous update, many of the issues were really specific to 0.26 and were not applicable at all to our version in wheezy - the remaining issues have been fixed and it's quite possible that we have duplicate CVE here, even though the precise crash might not be the same (did somebody check this already?), a fix of a common underlying problem might have fixed multiple CVEs Coming back to your ASAN issue, I would suggest that you try to reproduce the issue with valgrind with 0.23-1+deb7u1 (old version). If you can reproduce it there, then it's probably fixed by our previous update. If you can reproduce it with 0.23-1+deb7u2 then it's still open... Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
