On 04/10/2016 19:52, Thorsten Alteholz wrote:
Hi Florian,
On Wed, 28 Sep 2016, Florian Weimer wrote:
While trying to write a reproducer for CVE-2016-2776, I discovered
that the 1:9.8.4.dfsg.P1-6+nmu2+deb7u10 version in wheezy would crash,
while unpatched jessie and upstream would not:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839051>
This might be due to an incomplete fix for CVE-2015-5477. If the
entire fix is missing, you can probably reuse the CVE ID. If not,
please let us know, and we'll assign a new ID once you have a patch.
according to [1] the fix for CVE-2015-5477 is just one line, which is
applied correctly in 9.8.4.dfsg.P1-6+nmu2+deb7u6.
Also 9.8.4.dfsg.P1-6+nmu2+deb7u2 crashes as well with your script, so
this seems to be a different problem.
Thorsten
[1] https://kb.isc.org/getAttach/118/AA-01272/cve-2015-5477.patch.txt
I think we are dealing with a different problem here, as Thorsten says
the patch for CVE-2015-5477 seems to be applied correctly in code, yet
9.8.4.dfsg.P1-6+nmu2+deb7u11 is still affected:
http://pastebin.com/2hV7vdzg
The version in jessie ,9.9.5.dfsg-9+deb8u7, is unaffected.
Shaun
