Date: Mon, 15 Sep 2014 11:28:12 -0400 (EDT) From: cve-assign@...re.org To: kristian.fiskerstrand@...ptuouscapital.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE assignment for c-icap Server -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://sourceforge.net/p/c-icap/bugs/59/ > i found the bug in the parse_request() function. > Please see the details in the attachment. > <Peter Berestov> pberestov@...il.com > If a buffer doesn't contain " " or "?" then the *end pointer will increase > The pointer can leave the area of memory allocated for the buffer. Use CVE-2013-7401 for this specific issue discovered by Peter Berestov. > chtsanti 2013-10-02 > > This bug and many other related fixed in trunk with patches: > r1018 and r1021. > > http://sourceforge.net/p/c-icap/code/1018/ > > Fix multiple problems on parsing ICAP requests. In many cases the c-icap may > crash if not found a normal ICAP request. Use CVE-2013-7402 for the chtsanti discoveries, i.e., the other issues in the pre-r1018 code that made a remote crash possible. This might, for example, include attack vectors with invalid method names. There is no CVE ID for the http://sourceforge.net/p/c-icap/code/1021 issue. This seems to be a usability problem that was introduced by the first version of the security fixes. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUFwT6AAoJEKllVAevmvmsIoEH/AnEdl+oKCBmSfWw/ixQonyY pKmh4HF1OTh3AsC1tJ88hbDasvr3ZpvPcmPbFtLoRkB5IgFBrCfiAWMAbp3h3gp8 HyCaaz/im7D+gJuDDf1fxCyCqt8pG+Haffk0QGMAVnmbkCyk4NWMt20OXXj/lV/k G0sXNLwl3J4f/BdjzcjMISZzq1qYq785epzyDycNKynpYA7z3e1fjesJyZ/wB2T5 O9bkjXRuhmjzbSTxYLAwXURVl4c7BWqJJASPq84UDg+R/pW5y3/OUMRrGJ2t79Rp bAPDDp3mo47PutGcbKTJsZqg2Lu/UJmxvxk+ximP5VeB4MqFcwZv0tVi4byxPx8= =WCEN -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ