On Sat, Jun 18, 2016 at 09:21:58AM +0200, Petter Reinholdtsen wrote: > [Andreas Bombe] > > Also, I wonder if the fix for > > https://github.com/dosfstools/dosfstools/issues/11 (which is > > 2aad1c83c) shouldn't also be included while we're at it. It has no > > CVE, the out of bounds memory access itself isn't all that bad but it > > might create improper date values. > > > > https://github.com/dosfstools/dosfstools/commit/2aad1c83c7d010de36afbe79c9fde22c50aa2f74 > > It is fine with me, but it is up to the release managers. Is there a > Debian bug about this? I believe it is a requirement for getting a fix > into stable. > > Is this error supposed to be detected by Valgrind? I was unable to get > any warning about out of bounds memory access by valgrind when I tested.
I think there was one issue that only showed up as a memory error on i386 and not amd64 and this might have been the one. Also on second thought, never mind… This date conversion is used only to display information about files, so worst case is that index -1 of a static array is read and a nonsensical date is displayed to the user. I don't think it's worth extra effort to include it. Andreas
