On 01/02/17 00:42, Bálint Réczey wrote: > Hi Emilio, > > 2017-01-31 22:23 GMT+01:00 Bálint Réczey <[email protected]>: >> Hi Emilio, >> >> 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort <[email protected]>: >>> Hi Balint, >>> >>> On 31/01/17 21:46, Balint Reczey wrote: >>>> Log: >>>> wavpack's issues don't affect wheezy >>>> >>>> The first part of the upstream patch is not needed since the >>>> code is very different and not vulnerable. >>>> The second part applies, but does not make any difference when >>>> trying the exploits. Tested with valgrind on Wheezy. >>> >>> These issues were found with address sanitizer, so I don't think checking >>> with >>> valgrind is enough (it's not the same). >>> >>> May be worth checking with asan (it should be available in wheezy's llvm >>> 3.1). >> >> I was able to reproduce the heap issues on sid with valgrind but i >> give llvm a try, too. > > Llvm 3.1 supports ASAN, but I could not find clang in the llvm-3.1 packages. > What am I missing? :-)
Ah, looks like in wheezy clang was in its own source, and stayed at 3.0: https://packages.debian.org/source/wheezy/clang So I guess we're out of luck. Cheers, Emilio
