Date: Mon, 31 Dec 2012 00:07:44 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Marko Lindqvist <cazfi74@...il.com> Subject: Re: About CVE-2012-5645 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/30/2012 04:05 AM, Marko Lindqvist wrote: > On 30 December 2012 05:48, Kurt Seifried <kseifried@...hat.com> > wrote: >> Hmm I'm waffling here. The issues are the same version/reporter, >> roughly the same, can you post the http://cwe.mitre.org/ >> identifiers for these two issues? If they are different enough >> this might warrant a CVE split but for now I'm leaving it >> merged. > > Yes, had it fixes for both parts listed from the start, there > would be no problem. The problem is the confusion over where > CVE-2012-5645 is really fixed. Based on the original description > here some distributions claim CVE-2012-5645 fixed now that they > have applied one patch only. If you just add second fix to > CVE-2012-5645, there will be no way of telling if particular logmsg > about "CVE-2012-5645 fixed" means it's fixed completely, or only > half of it. > > > - ML Please continue to use CVE-2012-5645 for http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701 Added return value indicating success or failure for all dio_get_xxx() functions, and check that value to avoid infinite loop in reading arrays from network when there's no more data even though it's expected. For http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672 Sanity check packet length received over network against values less than header length alone to avoid situation where body length is considered negative. Please use CVE-2012-6083 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ4Tm/AAoJEBYNRVNeJnmT76UP/RP0N5OotsXH9xFCM8L2iNGF oTd7NoC9Z+XKi+VDoAs+EEJnd1FLZi/D6NlavqSThQRXrDEWPILvwYFUMx/BwHav WCt0pwHnj4u+mF0bEMmqgqHjvNjMSQBJTldml29+2rtIHRw9RVr8FDJCzGa7jaKG UoQNYCEI7NMZMTgmVIYdH4lXzRYaROE6JgEjRHL3PblNqsTd0NWZcJsFMzEDuoco 2yvDpbabHbW8tjPxYvlZwTJkxwr35PSCAA0qQYLCyf++KE907j57vwzdQ11V7A5h 3035JFAErLOt6LxxXwbpBtvTsdF4glvBZcwSI6eUA6LJA/w03iX+YiR/HGjoSOg3 tMEow8ZUAeZagZjzBf1ErUS8Caoqldr6jv0pVw0+wpABlhCM7KcYjmqx42/9rlt3 ceaRXWMJFtnHlD4Hw1YS+KTMovuFLYWXyIIOqlxUkMSXpKjBpxwXCS5OVPjuHwd2 Oy28dQy9i0l0ceCstK2amx453f7aR7JL+LuOc4c9Zrm/FPcViX7ZNpFGgV9N6Kr/ kpz3QlNQVfPNp4yNTOT/AfyoseWIYFlEbjva7g1FbMadyFsCijJfqTyWLL8apQqR XKQXt+xrhtpLyqCKlQmN/S8kXowdFQEnTXtsJ/Z7yQKGHK/BSC355JXYRXiib5I3 a9RSRwP3Yswh5rHoFht/ =oRcq -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ