As CVE-2011-2895<https://nvd.nist.gov/vuln/detail/CVE-2011-2895> said, the LZW
decompressor is vulnerable to an infinite loop or a heap-based buffer overflow.
As a mitigation, freebsd has added checks in
zopen.c<https://github.com/evadot/freebsd/commit/a06534c3c2587eca911a202d556fa656694f021>.
But there seems to be no checks in openbsd's
zopen.c<https://github.com/openbsd/src/blob/master/usr.bin/compress/zopen.c#L463>.
Since this is an old CVE, just wondering whether openbsd is vulnerable to it,
or it has been fixed by another way in openbsd.
[https://opengraph.githubassets.com/6deefd04d5f9f6e2baa404fec35c127503d661110a01bf55450d94f945341885/openbsd/src]<https://github.com/openbsd/src/blob/master/usr.bin/compress/zopen.c#L463>
src/usr.bin/compress/zopen.c at master ・
openbsd/src<https://github.com/openbsd/src/blob/master/usr.bin/compress/zopen.c#L463>
Read-only git conversion of OpenBSD's official CVS src repository. Pull
requests not accepted - send diffs to the tech@ mailing list. - openbsd/src
github.com
