Control: clone -1 -2 Control: retitle -1 swftools: CVE-2017-8400: out-of-bound write of heap data issue can occur in function png_load() Control: forwarded -1 https://github.com/matthiaskramm/swftools/issues/13 Control: severity -2 important Control: retitle -2 swftools: CVE-2017-8401: out-of-bound read of heap data issue can occur in function png_load() Control: forwarded -2 https://github.com/matthiaskramm/swftools/issues/14
On Sat, May 06, 2017 at 08:12:13PM +0200, Salvatore Bonaccorso wrote: > Hi > > On Tue, May 02, 2017 at 10:01:31PM +0200, Salvatore Bonaccorso wrote: > > CVE-2017-8400[0]: > > | In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in the > > | function png_load() in lib/png.c:755. This issue can be triggered by a > > | malformed PNG file that is mishandled by png2swf. Attackers could > > | exploit this issue for DoS; it might cause arbitrary code execution. > > > > CVE-2017-8401[1]: > > | In SWFTools 0.9.2, an out-of-bounds read of heap data can occur in the > > | function png_load() in lib/png.c:724. This issue can be triggered by a > > | malformed PNG file that is mishandled by png2swf. Attackers could > > | exploit this issue for DoS. > > I only skimmed over this bug during the BSP in Zurich. Whilst the > CVE-2017-8400 is fixed upstream, the CVE-2017-8401 seem still present. > Upsteam claims it should be fixed with a particular commit, but > running under valgrind I see still out-of-bounds reads in the png_load > function. So needs further investigation. Since two classes of issues, splitting this bug up into one for CVE-2017-8400 and one for CVE-2017-8401 for better tracking the fixes. Regards, Salvatore
