Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 05 Mar 2012 14:21:06 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Zubin Mithra <zubin.mithra@...il.com>, Dhanesh k <dhanesh1428@...il.com>
Subject: Re: CVE-Request taglib vulnerabilities

On 03/04/2012 08:57 PM, Zubin Mithra wrote:
> Hello,
> 
> 
>> On 03/04/2012 05:53 AM, Zubin Mithra wrote:
>>> Hello,
>>>
>>> Multiple bugs were found and reported in taglib, and have been patched.
>> Out
>>> of the 4 reported, 2 were patched recently while 2 only affected taglib
>>> versions upto 1.7 and not the current development head at github.The
>>> discussion at the taglib mailing list can be viewed here at [1].
>>>
>>> Kindly assign CVE's for the same.
>>>
>>> Thanks,
>>> Zubin Mithra
>>>
>>> [1] http://mail.kde.org/pipermail/taglib-devel/2012-March/002186.html
>>>
>>
>> Can you post a summary of the issues needing CVE #'s? Thanks.
>>
>>
> The issues which were present in the development head were :-
> 
> [1] A crafted ogg file with sampleRate as "0" leads to crash in the
> application using taglib.
>          fixed in the commit -
> https://github.com/taglib/taglib/commit/77d61c6eca4d08b9b025738acf6b926cc750db23

Please use CVE-2012-1107 for this issue.

> [2] "vendorLength" field modification in ogg tag parsing causes crash in
> the application using taglib.
>          fixed in the commit -
> https://github.com/taglib/taglib/commit/ab8a0ee8937256311e649a88e8ddd7c7f870ad59

Please use CVE-2012-1108 for this issue.

> The issues which are present in the latest "release" but not in the current
> development head were :-
> 
> [3] Lack of sanity checks of fields which were read, and were used for
> allocating memory; crafted files would lead of application crash.
> [4] A one bit change in a working ogg file would cause a thread to loop
> infinitely.

Note enough information to assign CVEs.

> *Please note* :-
> 
> [1] and [2] were fixed after the report, and could be assigned CVE's.
> 
> I am unsure about the other two, as they were fixed in the development
> branch, prior to our report. However, a release has not been made with the
> patches for [3] and [4] yet. Kindly assign CVE's for [3] and [4] if you see
> it fit to do so.
> 
> 
> Regards,
> Zubin Mithra
> 


-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ