Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Mar 2015 19:26:58 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: Re: Possible CVE Requests: libmspack: several issues

Hi MITRE CVE assignment team,

On Sun, Feb 22, 2015 at 07:55:55PM +0100, Moritz Mühlenhoff wrote:
> On Tue, Feb 03, 2015 at 04:52:05PM +0100, Salvatore Bonaccorso wrote:
> > Hi
> > 
> > Several issues with the libmspack library were reported recently in
> > the Debian bugtracker by Jakub Wilk. An (older) copy of libmspack is
> > also embedded in ClamAV (not verified if this version is also affected
> > by these issues).
> > 
> > The reported bugs are the following:
> > 
> > null pointer dereference on a crafted CAB:
> >  - https://bugs.debian.org/774665
> > 
> > CHM decompression: division by zero
> >  - https://bugs.debian.org/774725
> > 
> > CHM decompression: pointer arithmetic overflow
> >  - https://bugs.debian.org/774726
> > 
> > off-by-one buffer over-read in mspack/mszipd.c
> >  - https://bugs.debian.org/775498
> > 
> > off-by-one buffer under-read in mspack/lzxd.c
> >  - https://bugs.debian.org/775499
> > 
> > CHM decompression: another pointer arithmetic overflow
> >  - https://bugs.debian.org/775687
> > 
> > Could CVEs be assigned for these issues?
> 
> This seems to have fallen through the cracks.

Can you assign CVEs for these issues, or is there anything more
needed? 

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ