Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 22 Sep 2014 21:55:28 +0200
From: Pierre Schweitzer <pierre@...ctos.org>
To: oss-security@...ts.openwall.com
Subject: Re: Full disclosure: denial of service in srvx


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 30/08/2014 03:27, cve-assign@...re.org wrote:
> > Putting an extremely high value to these parameters, such as
> > 184467440723049 will lead to an integer overflow. When attempting to
> > queue the function execution, srvx will add it in the past, will attempt
> > to execute it immediately and thus will loop forever on this, and will
> > finally crash due to memory exhaustion.
>
> Use CVE-2014-5508 for the integer overflow.

Thanks. This has been used for the pull request upstream, which has
finally been merged to their trunk.
So, it's fixed in development trunk.

See:
https://github.com/GameSurge/srvx/commit/1c24a6f22c2782fb072239246f868515dbca7459

- -- 
Pierre Schweitzer <pierre at reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUIH6wAAoJEHVFVWw9WFsLyLgP/A/1oVUobq/vc7zGnPYg/eQi
KkkC165VMsNamjhBIx5M4CZGa7Lndhxhojr5HvnjlAY+rYlS3RkMMlxVsR6QZ85q
X3/Ilhs9Zrw2wKjqwhh0yoCSzHz/H9w4pEdMsSqQhUy6H2ETEFFHHMoUDIvzR4ad
YPbmUfEhtRsFR5FPvdvMG5nEj7J244vQXUB6M4FnYtsc8ujtaRmc8/6FB+SWk8Dg
xpdGj42mmmYVklB5kg5pef5BQ7q+Fhe4ode9BlCIG3SLasBecBi5wmvJtaLTN2hZ
ZukejPPfp4KpZSCeoUd1JCqG5k0muSBJBNMiCbOcu/1lE0PCj6I6Esi21MbQB1oE
gXMgZqzXKhS6P4eB8sq4s/t1hVQduSTKf1sf8JcQ8TipcQYm0MXcP6j7Ztck8Akk
/bxlsabGl4wV9+v0PlZej+Q3OQV16ErG6LxDBSBCy7dnPFAVqB0o/1Xl7taezsyp
prKGQJmr5JIlvvJyHetTEYX5ENSfcnr1zXDXgYZk9ubwJEncyqpfPg/t1+ozI3rt
xKyfRB5Ej7G/bAANXdbqL9UyljBltrFbRxWcpPyHQ8ocy9NsRJxmFX+4P68aFCXF
nsLpWWN95T22o8mz+n1aeXszzcfPommzzudAs6NDOjxSubu8/WapV89gz+DhqerZ
jkGkRna/d2M9sdEIvddm
=3ZYr
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ