Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Aug 2013 14:18:35 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Hamid Zamani <me@...idx9.ir>
Subject: Re: CVE Request : NAS v1.9.3 multiple Vulnerabilites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/16/2013 12:44 AM, Hamid Zamani wrote:
> Hello,
> 
> recently i reported some vulnerabilities in Network Audio System
> (NAS) - v1.9.3
> 
> These vulnerabilities reported at :
> 
> http://radscan.com/pipermail/nas/2013-August/001270.html
> 
> and 3 fix on upstream :
> 
> https://sourceforge.net/p/nas/code/288/ 
> https://sourceforge.net/p/nas/code/287/tree//trunk/server/os/utils.c?diff=517ad7dc2718467b12eafbad:286
>
> 
https://sourceforge.net/p/nas/code/289/tree//trunk/server/os/connection.c?diff=517ad7dc2718467b12eafbad:288
> 
> is it possible to assign a CVE for these ?
> 
> Thank you
> 

Ok so we got a total of three kinds of vulns, so same
version/researcher I'm CVE MERGEing them:

Buffer Overflows please use CVE-2013-4256
Heap Overflow please use CVE-2013-4257
Format String please use CVE-2013-4258

As for "Possible Race Condition and symlink attack:" can we confirm
it's a security issue?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSEn2bAAoJEBYNRVNeJnmTvlwP/Rt7ANxxSsEybZd77UMs/Nms
HDTRrOWzXq4etxSwO9bDQca6GxCfs58IzJk9WoTDGnVoTagMl2cQJQ/IAIEbL/ty
IbLa6iaLF2Ovi3PFH22M/X5ui8rXvymfRiz1k1zI52+lKPo9yWxxhSSNAVaaD+LE
k2MP+ZCckVlzKbrvSubHkntTQszKkOPZkVw1LSUnw8y0Gg9gqmqZM2uPcrG4RgiH
ECBavkSxumGd2TvzCusD+QAYHgYsGDWJ1VBx1QZx/ZgLnPOsa9cVk5er59b1e2cf
LVxPiC9USQRISr//Amb5NYktojbSYZUt6YTEknsdyu9PasjEbS4zF5iBqn0d57BI
PpfABLItMg/7loz1+eUk02BkgaHIYajJVVnrOwcGOxtiqrJM9JtvSW280cJ6TCOZ
ZDio2Rnmf0CFIPYzAG6MegQ/cXn53AyS5r114Ge5PEw50wGK19SIsNAzOMXOoj1P
gi34o10PID0DxX7MY5aVDBOLqiWnrq7w4y6gsi20JrebZMivZvRtHv8QjdNURdxH
tkceuAs8S3g7tsCZNjn3nnQ35l/wsp9ouWCyiZhlbWFIbX+YBR8tSGkylSVyS4eo
FWksNykZT3wwE9BbSUKk0bEGSLrmFahU/t0r5QoGVWPDfvbjQPKShX3aGENSir8t
9LAJqDk+MPb78WE/bMjU
=qxsJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ