Date: Wed, 29 Apr 2015 18:25:24 -0400 (EDT) From: cve-assign@...re.org To: martijn@...aard.eu Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request libaxl <= 0.6.9 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I'm coordinating this together with the developers of libaxl (which > will release a fix later today). > > Because of a bug in the memory allocator of libaxl can the parsing of > a specially crafted xml document result in a heap overflow. > > There is at least 1 known case where an application uses libaxl to > parse incoming user supplied xml data, unauthenticated and over the > network. In the best situation this results in DoS by memory > corruption, but RCE is for a (skilled) attacker most likely within > range. Use CVE-2015-3450. > I hope this is all the information you need, as this is my first CVE > request As suggested at the end of the http://openwall.com/lists/oss-security/2015/04/16/17 post, the approach you're using (writing to oss-security about a case where the source-code details of the bug remain private) typically should be accompanied by a link between the oss-security thread and any later disclosure. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVQVnOAAoJEKllVAevmvmsbUQH/RE8R3e2JFAQ/qYE+aDjquWT zvtVGevx+rpjdQewbkZ6d4G1g7YhKtDzwq9I3lfGLo/expVZ/Zjynb7+hr8G+8V8 c5hb/IcQ/4ieTn9avVxwDIdbRJsqAcULpeEek2nMUT9eZAdY7VfjVEzjZG2HTvB9 MXr6oAU4Q0pV/lb4TLZkKfYh79NkXKP5EQCnK0WASqtfEABvSJfz1lPSP7FazlMu Fl4zNlJ9m2Er3xCCNQNb5x5gFGIyoFHLKyyrzzw1Jy1tPUKrdD8tbGLjftMzsK9E HazmqoNgwiBw/jnXpzdMggU3LYk5t2hN0A6DScgI1agIWXnot3Kbvpny1fGYjpU= =NDXC -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ