Date: Wed, 6 May 2009 18:49:22 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: coley@...re.org Subject: Re: Old cscope buffer overflow On Wed, 6 May 2009 11:49:14 -0400 (EDT) "Steven M. Christey" <coley@...us.mitre.org> wrote: > > If you're preparing cscope updates for CVE-2009-0148 and you may > > still be shipping packages based on 15.5, you may want to have a > > look at: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=499174 > > > > Steve, as the first public report for this is from 2006: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=189666 > > > > I believe 2006 CVE id is needed here. > > We recently updated CVE-2009-0148 for overflows in cscope before > 15.7a. Is this the same issue, or do we need a different one? > > This seems to be distinct from CVE-2006-4262 as well... Different from both. CVE-2009-0148 is more of a dupe / re-occurrence / incomplete fix of even older CVE-2004-2541. Some vendors originally addressed that via sprintf -> snprintf across whole sources. Upstream instead preferred to use "%.*s" with bit of length math to avoid overflow and not harm portability. Though the math could int underflow, still allowing buffer overflow. BZ#189666 issue was fixed upstream in 15.6. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ