Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Oct 2014 01:57:18 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: strings / libbfd crasher

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> a crasher in the PE parser, I don't know if this is the same one, but
> I reported it upstream:
> https://sourceware.org/bugzilla/show_bug.cgi?id=17512
> 
> As this is a write to uninitialized memory it seems to me a CVE is
> deserved.
> 
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e1e19887abd24aeb15066b141cdff5541e0ec8e

Use CVE-2014-8501 for the 7e1e19887abd24aeb15066b141cdff5541e0ec8e
issue.


> https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c16
> 
> Seems to be different from the previous crasher.
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c17
> 
> objdump-pe-crasher2 gives a heap overflow

Use CVE-2014-8502 for the objdump-pe-crasher2 issue.


[ The http://openwall.com/lists/oss-security/2014/10/27/2 post
suggests that there isn't a known way to exploit objdump-elf-crasher
or objdump-pe-crasher for code execution. There are currently no CVE
IDs associated with objdump-elf-crasher or objdump-pe-crasher. ]


> https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c33
> https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c34

Use CVE-2014-8503 for this ihex parser issue.


> https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c28
> Fixes another memory corruption bug introduced by patches for PR 17512.
>     
>	* elf.c (bfd_section_from_shdr): Fix heap use after free memory
>	leak.

There is no CVE ID for this issue that apparently does not affect the
2.24 release.


> http://openwall.com/lists/oss-security/2014/10/27/4
> http://openwall.com/lists/oss-security/2014/10/27/5
> https://sourceware.org/bugzilla/show_bug.cgi?id=17510#c7
> https://sourceware.org/bugzilla/show_bug.cgi?id=17510#c8

Use CVE-2014-8504 for this srec_scan issue.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUUyRLAAoJEKllVAevmvmsIbsIAIJDFE1pSNpFW3UyTJ7uSD26
e1vrHDZ+YefWDseQdoXpMoerpD2xvRJ4PBPUMuQhpaBbPTOTaSAb3IjBsJvs3KDs
14iGXCybHv9aiqmrcPVfu08dhplrVkS32W8TswSI4/w2on3BSMV15zqMg+RQssyp
3t1VNcPViYefBYpUlw/MiG5Eqbhld7vXbCFz+QkRxnJ99GJjlhEA+lmjjTVdcSwS
Qtd7/ZwjMKxaf9vUnPNiLpqSYihlNNpIYLa61FIhy0AzKKs2mfny5Qf3InCnnIgV
RIDg61rCsixvEoHZTyk7yrrk1+XIKPoEJv5KgXMloyi4zQ70LJrLhI935bATU4E=
=8LMX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ