@szkiba, @bingdian: the description mentions that the issue is present before version 0.5.4. Can you elaborate where the issue was fixed landing in that version?
CVE-2018-15889 has been rejected by MITRE.
The patch as it was added in Debian upload versioned as 0.3.2-2 should fix this issue.
https://github.com/amadvance/advancecomp/commit/78a56b21340157775be2462a19276b4d31d2bd01 should be the fix for CVE-2019-8383.
https://github.com/amadvance/advancecomp/commit/7894a6e684ce68ddff9f4f4919ab8e3911ac8040 should be the fix for CVE-2019-8379
Krace, any comments on the questions? This would be likely otherwise a duplicate of CVE-2018-5783, which is issue #4 and fixed with https://sourceforge.net/p/podofo/code/1949 .
Unless I'm wrong, but the 3.100 upstream version introduced a check in InitMP3 before doing the memset.
Hi Can you point to which libtiff upstream change did fix the issue?