oss-security - Re: Re: Fuzzing jasper

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <20170113150447.6abc7f30@redhat.com>
Date: Fri, 13 Jan 2017 15:04:47 +0100
From: Tomas Hoger <thoger@...hat.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com, hanno@...eck.de
Subject: Re: Re: Fuzzing jasper

On Sat, 22 Oct 2016 21:00:23 -0400 (EDT) cve-assign@...re.org wrote:

> > https://github.com/mdadams/jasper/issues/28
> > Heap overflow in jpc_dec_cp_setfromcox()  
> 
> > AddressSanitizer: heap-buffer-overflow
> > WRITE of size 1  
> 
> > malformed jpeg2000 file  
> 
> > jpc_dec_cp_setfromcox ... libjasper/jpc/jpc_dec.c:1668:32  
> 
> Use CVE-2016-8880.
> 
> 
> > https://github.com/mdadams/jasper/issues/29
> > Heap overflow in jpc_getuint16()  
> 
> > AddressSanitizer: heap-buffer-overflow
> > WRITE of size 8  
> 
> > jpc_getuint16 ... libjasper/jpc/jpc_cs.c:1572:8  
> 
> Use CVE-2016-8881.

Can the above two CVEs be rejected as duplicates of CVE-2011-4516 and
CVE-2011-4517 respectively?

https://github.com/mdadams/jasper/issues/28#issuecomment-267053875
https://github.com/mdadams/jasper/issues/29#issuecomment-267322934

Thank you!

-- 
Tomas Hoger / Red Hat Product Security

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.