Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 29 Apr 2015 18:25:24 -0400 (EDT)
From: cve-assign@...re.org
To: martijn@...aard.eu
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request libaxl <= 0.6.9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I'm coordinating this together with the developers of libaxl (which
> will release a fix later today).
> 
> Because of a bug in the memory allocator of libaxl can the parsing of
> a specially crafted xml document result in a heap overflow.
> 
> There is at least 1 known case where an application uses libaxl to
> parse incoming user supplied xml data, unauthenticated and over the
> network. In the best situation this results in DoS by memory
> corruption, but RCE is for a (skilled) attacker most likely within
> range.

Use CVE-2015-3450.


> I hope this is all the information you need, as this is my first CVE
> request

As suggested at the end of the
http://openwall.com/lists/oss-security/2015/04/16/17 post, the
approach you're using (writing to oss-security about a case where the
source-code details of the bug remain private) typically should be
accompanied by a link between the oss-security thread and any later
disclosure.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVQVnOAAoJEKllVAevmvmsbUQH/RE8R3e2JFAQ/qYE+aDjquWT
zvtVGevx+rpjdQewbkZ6d4G1g7YhKtDzwq9I3lfGLo/expVZ/Zjynb7+hr8G+8V8
c5hb/IcQ/4ieTn9avVxwDIdbRJsqAcULpeEek2nMUT9eZAdY7VfjVEzjZG2HTvB9
MXr6oAU4Q0pV/lb4TLZkKfYh79NkXKP5EQCnK0WASqtfEABvSJfz1lPSP7FazlMu
Fl4zNlJ9m2Er3xCCNQNb5x5gFGIyoFHLKyyrzzw1Jy1tPUKrdD8tbGLjftMzsK9E
HazmqoNgwiBw/jnXpzdMggU3LYk5t2hN0A6DScgI1agIWXnot3Kbvpny1fGYjpU=
=NDXC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ