Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Jan 2015 17:29:25 +0100
From: Martin Prpic <mprpic@...hat.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request: directory traversal flaw in patch

cve-assign@...re.org writes:

> On Wed, 14 Jan 2015, Martin Prpic wrote:
>
>> Hi,
>>
>> A directory traversal flaw was reported in patch:
>>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227
>> https://bugzilla.redhat.com/show_bug.cgi?id=1182154
>>
>> Could a CVE please be assigned to this issue? Thank you.
>>
>> --
>> Martin Prpič / Red Hat Product Security
>
> Use CVE-2015-1196.
>
> ---
>
> CVE assignment team, MITRE CVE Numbering Authority M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Hi!

I think these issues in patch also deserve CVEs:

https://savannah.gnu.org/bugs/?44051
"With a specific file, patch goes to infinite loop and eats all CPU time."

https://savannah.gnu.org/bugs/?44051
"Got an other issue which output this before segfault: patching file util.h

Ran out of memory using Plan A -- trying again...

patching file util.h
Segmentation fault"

http://git.savannah.gnu.org/cgit/patch.git/commit/?id=44a987e02f04b9d81a0db4a611145cad1093a2d3
"Add line number overflow checking. Based on Robert C. Seacord's INT32-C document for integer overflow checking and Tobias Stoeckmann's "integer overflows and oob memory access" patch for FreeBSD."

Thank you!

-- 
Martin Prpič / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ