Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 6 May 2009 18:49:22 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: Re: Old cscope buffer overflow

On Wed, 6 May 2009 11:49:14 -0400 (EDT) "Steven M. Christey"
<coley@...us.mitre.org> wrote:

> > If you're preparing cscope updates for CVE-2009-0148 and you may
> > still be shipping packages based on 15.5, you may want to have a
> > look at:
> >
> >   https://bugzilla.redhat.com/show_bug.cgi?id=499174
> >
> > Steve, as the first public report for this is from 2006:
> >
> >   https://bugzilla.redhat.com/show_bug.cgi?id=189666
> >
> > I believe 2006 CVE id is needed here.
> 
> We recently updated CVE-2009-0148 for overflows in cscope before
> 15.7a. Is this the same issue, or do we need a different one?
> 
> This seems to be distinct from CVE-2006-4262 as well...

Different from both.  CVE-2009-0148 is more of a dupe / re-occurrence /
incomplete fix of even older CVE-2004-2541.  Some vendors originally
addressed that via sprintf -> snprintf across whole sources.  Upstream
instead preferred to use "%.*s" with bit of length math to avoid
overflow and not harm portability.  Though the math could int
underflow, still allowing buffer overflow.

BZ#189666 issue was fixed upstream in 15.6.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ