Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Apr 2012 13:32:04 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Huzaifa Sidhpurwala <huzaifas@...hat.com>, jpff@...bath.ac.uk
Subject: Re: CVE Requests: Multiple security flaws in csound5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/15/2012 11:28 PM, Huzaifa Sidhpurwala wrote:
> Hi Folks,
> 
> Multiple security flaws were reported in csound5, details below. 
> Can CVE ids be please assigned to these issues?
> 
> 1. Integer overflow leading to buffer overflow in pv_import 
> Reference: https://bugzilla.redhat.com/show_bug.cgi?id=810802 
> http://secunia.com/secunia_research/2012-7/ There seems to be two
> patches for this issue. The earlier fix was incomplete and a second
> patch had to be applied later.

Please use CVE-2012-2106 for this issue.

> 2. Integer overflow leading to buffer overflow in lpc_import 
> Reference: https://bugzilla.redhat.com/show_bug.cgi?id=810807 
> http://secunia.com/secunia_research/2012-6/ Though the commit date
> does not match up with the date described in the secunia advisory,
> this is the only commit which seems to match the flaw description.

Please use CVE-2012-2107 for this issue.

> 3. Stack-based buffer overflow in lpc_import Reference: 
> https://bugzilla.redhat.com/show_bug.cgi?id=810810 
> http://secunia.com/secunia_research/2012-4/

Please use CVE-2012-2108 for this issue.

> 
> John, Can you please review the patches and let us know if they
> are correct?
> 
> Thanks!
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjHO0AAoJEBYNRVNeJnmTuuAQALefXrzioF+P9zVyGIEf7Mkf
Ya63UHvrV4MBAvy8H0qokWCRldqWF/MdTUwkXEptx/wJKjtVolxZUmpvlHEPuliY
uz9PK2y1JlGJ1/Gw5xIg1Wtd8fkESefTFEjJWGlUrmGhExnWujPtv2Ya9Ehw/Itx
K9wzz6OInQiJNTM71WClMUaPImz9ba7x+8yuprpJMtgl0DxwVMRGjy5rdUTXRlO4
TTyMbW78YizlrgmCvHyJJDq8EBEidxlR6uzPxVwA03TuRxdMFQ/xk7tF614wkwtM
oXiohU2TTvpCYau7Kj0/eqdwpDppH0uFI++k6LWttBh1VvowYn8oKkzjD6ihuRNR
9ne6KQalj1BzI7geXBRLar6DIlsPYJiRjdxGSmQ8K+MalaQ+b7En4tHIivLajiLj
TqZlZ2zmGYUkFsCCJQqhxNOTzD80aRXJB/OsCt4C96dEYXzl3WW9/dtyZcAQMPJP
tElfmgnR8ToUm3Dje29PO23/y2P++JLVYGKxo8dpBlX9238Mg7Rrpslk57w6MOxJ
PNqPTDRetSxgfVD6Dw1y3x0to6Xblk/fMJYikMQeuT+I6k6MHACt2eKi5gBwu4lE
hHJRJ9G3fmNyR/eshiJnjbW9W60nGC2hickYONAPyqu1oS8ls+soYx+TrU8CHuAM
nzH15pbNUNC4hT6FdQMm
=6g+2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ