Date: Thu, 29 Jan 2015 11:52:02 -0500 (EST) From: cve-assign@...re.org To: Kurt Seifried <kseifried@...hat.com> cc: oss-security@...ts.openwall.com, huzaifas@...hat.com, Mitre CVE assign department <cve-assign@...re.org> Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) > On 28/01/15 06:57 PM, Huzaifa Sidhpurwala wrote: >> On 01/29/2015 03:17 AM, Florian Weimer wrote: >> >>>> Use CVE-2012-6686 for "unbound alloca use in glob_in_dir" as covered >>>> by Red Hat Bugzilla ID 797096. >>> >>> Oh, it seems Huzaifa posted the wrong Bugzilla reference. >>> >> >> Yes, sorry wrong bz. >> >>> We still need assignment for this fix: >>> >>> <https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7> >>> >>> The matching Red Hat Bugzilla bug is: >>> >>> <https://bugzilla.redhat.com/show_bug.cgi?id=981942> >> The above is the correct bug with the corresponding impact at: >> https://bugzilla.redhat.com/show_bug.cgi?id=1186614 >> >> MITRE, >> >> Can we still use the above CVE for this issue? > > This would be a bad idea and lead to much confusion, especially for > people that have already consumed this CVE and written up reports that > in turn have been shipped to other people/etc. > > Can we REJECT this CVE if the issue is not a security issue, obviously > if it is a security issue we should keep this CVE. The scope of CVE-2012-6686 has already been explicitly identified, i.e. it is 797096. If 797096 does not cover a security issue, or is a duplicate, then we would need to REJECT the CVE. However, 797096 reports that the issue "can lead to program crashes if excessively long inputs are passed to certain functions." This still sounds like it could be a vulnerability. Is this already associated with a different CVE? 797096 points to RHBA-2013:0022, which maps to CVE-2013-4357. However, 797096's title does not include CVE-2013-4357. > Additionally if we can get a new CVE for Bz981942 that would be great, > thanks! There now appear to be two different requests for two separate Bugzilla IDs that might be discussing the same issue. Please clarify. BZ 1186614 is "glibc: Invalid-free when using getaddrinfo()". It points to https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7 which is "Fix encoding name for IDN in getaddrinfo" and modifies gaih_inet() in sysdeps/posix/getaddrinfo.c by setting name=p and malloc_name=true. CVE-2013-7424 is now assigned with the issue whose scope is defined by commit 2e96f1c7 / gaih_inet(). (A 2011 year is not used because 2e96f1c7 does not clearly identify any security relevance.) A separate Bugzilla ID, 981942, might be a duplicate. It is titled "ping6 with idn causes crash," includes Comment 4 (Carlos O'Donell 2013-07-08 09:54:18 EDT) which references a discrepancy with upstream's "name = p;" fix in gaih_inet(). It also directly includes commit 2e96f1c7, which has now been associated with CVE-2013-7424/BZ1186614. Yet, here in 981942, there is no apparent reference to 1186614. Is 981942 a duplicate of CVE-2013-7424/BZ1186614, or is a separate CVE ID required? If a new ID is required, please explain the difference. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ