Date: Sun, 29 Mar 2015 02:21:48 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: arj: free on invalid pointer due to to buffer overflow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Jakub Wilk reported arj crashing on a ARJ file in . Guillem Jover > pointed out that the invalid pointer is due to a buffer overflow write > access initiated by a value which is under user control, see . He > prepared as well a patch for this issue. Could assign a CVE for > this issue? > >  https://bugs.debian.org/774015 >  https://bugs.debian.org/774015#11 >  http://git.hadrons.org/gitweb/?p=debian/pkgs/arj.git;a=blob_plain;f=debian/patches/security-afl.patch For purposes of determining the number of CVE IDs, https://bugs.debian.org/774015#11 is considered a 2015 vulnerability announcement, and https://bugs.debian.org/774015#3 is not considered a vulnerability announcement at all. (There was another conceivable interpretation in which part of security-afl.patch fixed an issue discovered by Jakub Wilk in 2014, and another part of security-afl.patch fixed a second similar issue discovered by Guillem Jover in 2015, with two CVEs. We aren't doing that here.) Use CVE-2015-2782. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVF5mQAAoJEKllVAevmvmsTmEH/ReeQDQTDs+tTkIjaKluhuwV 0U2+fpmNTkKfkr2Gf8CWaQ891Topc/c+dIEMVmuIJuWMJVdYfJ3V8ifB0n4U8srO Jd4TYqgsWP4xoPBmQtEev5bxPk00/yhnlFv6xUF8Sic2iloLbzEKG+vnBaMCuvxr uUSu5/xOCPZhxwJAYww0FzS1ZrV4D12iDLtEobfpPq9EEdrQdgMa6n/luX7Lrowe tDiJTT2vG8I0ITIi5E7itAFTYqcjmWgQ8pt4qqYEeMdgDCsoTEwJz8k8U+JnrjQC CEVixkXwkY8xxvNzlQE1zArRM6869qWVzCDT2tiTcoMXcPYuDQwAG6VUBGp+XEQ= =+r+1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ