[Cc:ing other related bugs, to get other maintainers' opinions]
On Mon, 25 May 2015 16:40:00 +0200, Salvatore Bonaccorso <car...@debian.org>
said:
> CVE-2015-3885[0]: | Integer overflow in the ljpeg_start function in
> dcraw 7.00 and earlier | allows remote attackers to cause a denial of
> service (crash) via a | crafted image, which triggers a buffer
> overflow, related to the len | variable.
The patch from rawstudio and libraw is easy enough to port over, being a
one-line change, but I'd like a second opinion. The patch just changes
the type of len from int to ushort. However, len is only ever set to
len = (data[2] << 8 | data[3]) - 2
and so will always be less than 0x10000, so I don't see how len can
overflow with >= 32-bit ints. I can see how it could cause problems
with a signed 16-bit int, but unless I'm missing something, it shouldn't
affect Debian in any way, since all our arch's are >= 32-bits.
Is that correct, or is my assessment wrong?
--
Hubert Chathi <uho...@debian.org> -- Jabber: hub...@uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
