oss-sec mailing list archives
Re: CVE Request: Use-after-free in optipng 0.6.4
From: Mark Felder <feld () feld me>
Date: Thu, 17 Sep 2015 09:54:59 -0500
On Wed, Sep 16, 2015, at 06:11, Gustavo Grieco wrote:
We found a use-after-free causing an invalid/double free in optipng 0.6.4. Upstream is working in fixing it but keep in mind that optipng 0.6.x is officially unsupported. A CVE will be useful since such version is included in distros like Debian and Ubuntu. Please find attached the test case to trigger it. The valgrind report is here:
Is 0.6.5 affected? I would assume it is since you said upstream is working on a patch... -- Mark Felder feld () feld me
Current thread:
- CVE Request: Use-after-free in optipng 0.6.4 Gustavo Grieco (Sep 16)
- Re: CVE Request: Use-after-free in optipng 0.6.4 Mark Felder (Sep 17)
- Re: CVE Request: Use-after-free in optipng 0.6.4 Stefan Cornelius (Sep 19)