oss-sec mailing list archives

Re: [oCERT-2009-009] CamlImages integer overflows

From: Andrea Barisani <lcars () ocert org>
Date: Sat, 4 Jul 2009 12:14:01 +0100

On Sat, Jul 04, 2009 at 12:39:09PM +0200, Robert Buchholz wrote:

On Thursday 02 July 2009, Andrea Barisani wrote:

Unfortunately oCERT has been unable to get feedback from CamlImages
maintainers and the package seems unmaintained, it's therefore
suggested to avoid CamlImages usage on production or any environment
where strong security is needed.


Richard Jones of RedHat contributed a patch and upstream is stated plans 
to review and incorporate it:
http://www.nabble.com/Camlimages-integer-overflows-with-PNG-images-td24321780.html


That's great, I'll update the advisory.

Thanks

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars () ocert org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

Current thread:

[oCERT-2009-009] CamlImages integer overflows Andrea Barisani (Jul 02)
- Re: [oCERT-2009-009] CamlImages integer overflows Robert Buchholz (Jul 02)
  - Re: [oCERT-2009-009] CamlImages integer overflows Andrea Barisani (Jul 02)
- Re: [oCERT-2009-009] CamlImages integer overflows Robert Buchholz (Jul 04)
  - Re: [oCERT-2009-009] CamlImages integer overflows Andrea Barisani (Jul 04)