>From the CVE Team at Mitre "The vulnerability description for the entry in the CVE corpus does not mention code execution (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8754). You will need to consult Debian as to why that make that claim."
Debian security team, please elaborate On Mon, Apr 2, 2018 at 4:51 PM, Joachim Metz <[email protected]> wrote: > I'm the maintainer of libevt, this security issue > (https://www.debian.org/security/2018/dsa-4160) was brought to my > attention. > > It was discovered that insufficient input sanitising in libevt, a > library to access the Windows Event Log (EVT) format, could result in > denial of service or the execution of arbitrary code if a malformed > EVT file is processed. > > "the execution of arbitrary code" > > where is the proof of these claims? > > the bug is a heap read out of bounds until now I've not seen proof of > possible exploitation.
