Hi Markus, On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote: > Package: src:libextractor > Version: 1:1.6-1 > Severity: important > Tags: security > > Hi, > > while I was working on the security update for Wheezy I discovered > that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600 > and CVE-2017-15602. I could reproduce two segmentation faults with the > provided POCs. They are attached to the upstream bug report: > > http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html > http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html > > Just run "extract -i $POC" > > I'm attaching my gdb log files to this bug report.
Since the issues happen in different places from the original reports, can you request two new CVEs for those issues? So for tracking purposes these are two new raised issues, different from CVE-2017-15600 and CVE-2017-15602 and would possibly require two new ones. Can you as well report it to upstream in case Bertrand cannot cime in? In case not let me know, and I can take care of it tomorrow. Regards, Salvatore
