Date: Thu, 07 Aug 2014 17:56:56 +1000 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: issues in ISO C++ 2011 regex library On 08/06/2014 04:36 AM, Rich Felker wrote: > On Tue, Aug 05, 2014 at 03:50:32PM +1000, Murray McAllister wrote: >> Hello, >> >> Maksymilian Arciemowicz reported a number of issues in the ISO C++ >> 2011 regex libraries: >> >> http://seclists.org/fulldisclosure/2014/Aug/1 >> >> Bugs: >> >> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61601 >> >> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61582 >> >> http://llvm.org/bugs/show_bug.cgi?id=20291 >> >> For the memory corruption bug (61582), there seems to be more than >> one issue here (at least a heap-based buffer overflow and a stack >> overflow of some sort). Can a single CVE be assigned, or do you need >> specific details for each issue (I don't currently have those)? >> >> With GCC 4.8 in Fedora, the affected program needs to be compiled >> using the "-std=c++11" option. > > I think this issue is mis-named. "The ISO C++ 2011 regex library" is a > specfication, not an implementation, and a vulnerability in it would > be a fundamental flaw in the API design (analogous to gets in C). It > seems like this CVE request is for one or more GCC/libstdc++ bugs, and > it should be identified as such. > > Rich > Thanks for pointing that out, and sorry for the confusion! There is some discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1126691 about why these should not be treated as security issues. Cheers, -- Murray McAllister / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ