Hello,
When testing the vulnerability related to CVE-2019-16166 in Ubuntu Jammy (beta version, amd64), which includes version 1.7 of cflow, I obtained similar results as the ones reported previously in
https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00000.html (the original report regarding this issue and the related CVE).
To get the results, I compiled the Ubuntu cflow package from source with ASAN enabled. I also used the POC files provided in
https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00000.html. To detail this even more, below I link to the ASAN stack trace I got from running cflow with either of the mentioned POC files:
https://pastebin.ubuntu.com/p/GrKxrTgPxx/I send this message asking about these results because a patch for CVE-2019-16166 was provided as per the comments in
https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6. The patch, however, may be incomplete, as the issue seems to still not be fixed, or I could be missing something.
If there are any questions, please feel free to ask.
Regards,
Camila Camargo de Matos.