Date: Tue, 20 Jan 2015 17:29:25 +0100 From: Martin Prpic <mprpic@...hat.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE request: directory traversal flaw in patch cve-assign@...re.org writes: > On Wed, 14 Jan 2015, Martin Prpic wrote: > >> Hi, >> >> A directory traversal flaw was reported in patch: >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227 >> https://bugzilla.redhat.com/show_bug.cgi?id=1182154 >> >> Could a CVE please be assigned to this issue? Thank you. >> >> -- >> Martin Prpič / Red Hat Product Security > > Use CVE-2015-1196. > > --- > > CVE assignment team, MITRE CVE Numbering Authority M/S M300 > 202 Burlington Road, Bedford, MA 01730 USA > [ PGP key available through http://cve.mitre.org/cve/request_id.html ] Hi! I think these issues in patch also deserve CVEs: https://savannah.gnu.org/bugs/?44051 "With a specific file, patch goes to infinite loop and eats all CPU time." https://savannah.gnu.org/bugs/?44051 "Got an other issue which output this before segfault: patching file util.h Ran out of memory using Plan A -- trying again... patching file util.h Segmentation fault" http://git.savannah.gnu.org/cgit/patch.git/commit/?id=44a987e02f04b9d81a0db4a611145cad1093a2d3 "Add line number overflow checking. Based on Robert C. Seacord's INT32-C document for integer overflow checking and Tobias Stoeckmann's "integer overflows and oob memory access" patch for FreeBSD." Thank you! -- Martin Prpič / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ