Hi Emilio, 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort <po...@debian.org>: > Hi Balint, > > On 31/01/17 21:46, Balint Reczey wrote: >> Log: >> wavpack's issues don't affect wheezy >> >> The first part of the upstream patch is not needed since the >> code is very different and not vulnerable. >> The second part applies, but does not make any difference when >> trying the exploits. Tested with valgrind on Wheezy. > > These issues were found with address sanitizer, so I don't think checking with > valgrind is enough (it's not the same). > > May be worth checking with asan (it should be available in wheezy's llvm 3.1).
I was able to reproduce the heap issues on sid with valgrind but i give llvm a try, too. Cheers, Balint