Date: Tue, 25 Aug 2015 13:25:53 -0400 (EDT) From: cve-assign@...re.org To: pcheng@....com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: libgpf: use-after-free vulnerability in Decoder.cpp -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > An use-after-free issue in Decoder.cpp was reported to upstream. The > problem is due to lack of validation of ColorTableSize. > > https://bugzilla.redhat.com/show_bug.cgi?id=1251749 > https://sourceforge.net/p/libpgf/code/147/ > https://sourceforge.net/p/libpgf/code/148/ We think you mean that a use-after-free can occur when the http://sourceforge.net/p/libpgf/code/HEAD/tree/trunk/libpgf/INSTALL instructions are followed. Use CVE-2015-6673. https://sourceforge.net/p/libpgf/code/147/ seems to be a series of changes for handling failed input validation by propagating an error status, rather than by using assert calls. Typically these cases do not have CVE IDs (see the http://openwall.com/lists/oss-security/2014/11/28/8 post). When writing a general-purpose open-source library, it is often best not to rely on assert calls, because someone may not realize their role, and may decide to adapt the library code and integrate it into their own build process that uses NDEBUG. There can be a CVE ID for behavior of a library with NDEBUG if any of these are true: - the author doesn't provide build instructions - the build instructions always or sometimes use NDEBUG - there's other information suggesting that NDEBUG is acceptable (e.g., "all of the asserts are for impossible conditions that were only relevant during development") - the author intended to support use of NDEBUG or possibly a few other similar conditions (e.g., end users would reasonably guess that NDEBUG was acceptable based on the author's past practices or on how the library is used). - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV3KRBAAoJEL54rhJi8gl58a8P/jBFCHH5anrDKTyqXxxBk/AI 638SN+O/ve3CssNmXk75E75i5+bZhJvuXpGWDPx3Ew3B5ijlaJ0tzDr5+LXJeo7L OcKTTB1FuepD/5BwittRW1HQDS1X83247tbHpKWNqZVWfMaJb92NU0MTyvB8kU/K modDPxBoY06+aMJvS+p489BfZYMi97/H1mkwGFEekuFEZsET9PA8l0a/Or3Jcbv+ ObdpXWkbiOYlrLJPfPBXFwZ3zRlx3PgRpVfqeB60u0PAU4WW+ZkQdN4ZqntqAwet 6NkfLKcqaMEkcsGNT82lh6eQXbReJS0UWVegE5HJcOu+weAkjjMkxsv6gydeUvEW fChjJ3uinsUifb29XXJ1ofROQhQ1kHxOckiXWKh2MY6ThDXbSPVwPvVnFtzHDZuw BXomIDpLeXcXnXBwtXx6esXQ1WM82BvwKcvnY5kR1crrM6xXUOOpnjf7fnzL/nWn DTZWM6vhmOH21vNX6D7V6oHRkn056R5xxZmpK/MH6p30Dt3hSDUds+BMziC2RerL 7urAVKCbebZOFU4wIJC+78cqcuh6kTost+8nlsqSr6GSstICbgqxk19D9MWGtzRF gFo4z8b/x1709jNMowqnCkLnHnDkDbhw3AJ5Plu05sMoQpyR+QizYKC447lQQwIo 0rrvxnRcjdvtIgzFQiAk =7Eio -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ