On Tue, Jul 19, 2016 at 07:48:33PM +0200, Salvatore Bonaccorso wrote: > Source: lepton > Version: 1.0-2 > Severity: grave > Tags: security upstream > Justification: user security hole > > Hi, > > Multiple issues were found in lepton. The CVE request was at > http://www.openwall.com/lists/oss-security/2016/07/17/1 referencing > https://github.com/dropbox/lepton/issues/26 (note to compile with > address sanitizer to reproduce the issues). > > lepton got several CVE assigned in subsequent > http://www.openwall.com/lists/oss-security/2016/07/17/6 > > I'm not sure if current master fixes all the reported cases from #26.
Hi,
I tested all samples in GitHub #26 and the error outputs change from
ASSERTION_FAILURE to UNSUPPORTED_JPEG in 1.2.1, so I think the issue is
solved in that version.
% lepton global_bof.jpeg
lepton v1.0-
header information is incomplete6556934 bytes needed to decompress this
file
::::BILL::::
EXP1_EDGE: 268435456.0 vs 0.0 = 0.0%
SIGN_EDGE: 268435456.0 vs 0.0 = 0.0%
EXP1_DC: 268435456.0 vs 0.0 = 0.0%
SIGN_DC: 268435456.0 vs 0.0 = 0.0%
Overall 7x7: 0.0 vs 0.0 = 0.0%
Overall Edge: 536870912.0 vs 0.0 = 0.0%
Overall DC: 536870912.0 vs 0.0 = 0.0%
Overall Misc: 0.0 vs 0.0 = 0.0%
Total: 1073741824.0 vs 0.0 = 0.0%
::::::::::::
ASSERTION_FAILURE
SHORT_READ%
% ~/src/debian/lepton/lepton global_bof.jpeg
lepton v1.0-
14882054 bytes needed to decompress this file
UNSUPPORTED_JPEG
SHORT_READ
--
ChangZhuo Chen (陳昌倬) <czc...@debian.org>
Debian Developer (https://nm.debian.org/public/person/czchen)
Key fingerprint = EC9F 905D 866D BE46 A896 C827 BE0C 9242 03F4 552D
BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
signature.asc
Description: PGP signature
