Date: Thu, 3 Sep 2009 12:45:46 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE id request: silc-toolkit On Mon, 31 Aug 2009, Nico Golde wrote: > Hi, > silc-toolkit upstream fixed  various security issues which > from my assessment allow an attacker arbitrary code > execution. I'd like to get some CVE ids for these. > > | ASN1: Fix stack variable overwrite when encoding OID. This was actually fixed in 1.1.8 back in 2008: http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.8 Use CVE-2008-7159, to be filled in later. > | Fixed string format vulnerability in client entry handling. > | > | Reported and patch provided by William Cummings. > > This one allows an attacker to execute arbitrary code, tested. > > | More string format fixes in silcd and client libary Use CVE-2009-3051 for both of these format strings, to be filled in later. > | HTTP: fix stack overwrite due to format string error. Appears to be from http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.9. Use CVE-2008-7160, to be filled in later. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ