Hi, On Sat, Feb 25, 2017 at 01:10:12PM +0100, Thorsten Alteholz wrote: > On Sat, 25 Feb 2017, Sebastian Reichel wrote: > > I think stable and oldstable are not affected, since r_read_* was > > not yet introduced in their versions. > > you are right, but doesn't the problem still exist? For example in stable > the missing check is now in libr/util/mem.c:r_mem_copyendian(), isn't it? Right. I guess I shouldn't check these things before going to sleep. I also prepared an update for stable. The example binary revealed a few more missing NULL checks in 0.9.6's dex parser, which I also patched. Now its possible to at least load the binary (note: its slow on 0.9.6, but that's normal). $ r2 ~/r2_dex_parse_debug_item [0x00000000]> exit I will write a mail to the security team with the updated stable source package and CC you. > > I'm preparing an update for sid & experimental now. > > Ok, great, thanks. sid & experimental are fixed. > > Please take care of anything related to oldstable. > > Ok, we will do. Thanks. -- Sebastian
Attachment:
signature.asc
Description: PGP signature