Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue,  3 Nov 2015 15:05:23 -0500 (EST)
From: cve-assign@...re.org
To: kristian.fiskerstrand@...ptuouscapital.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: pycurl use after free fixed in version 7.19.5.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/pycurl/pycurl/commit/602f8e364634d386524f0396e962c2c9de0536a9
> 
> my understanding is that use-after-free generally gets assigned a CVE
> based on CWE 416

There isn't that type of direct relationship between the existence of
a CWE ID and the availability of a CVE ID for an instance of the
weakness. CVE, for example, involves additional decision points about
whether the weakness is a mistake (here, yes) and about whether the
weakness is exploitable in a way that crosses a privilege boundary
(here, possibly not). It's also necessary that the vulnerability
existed in something akin to "shipped code." The patch seems to be
possibly related to "PyTuple" and the ChangeLog has "List and tuples
are now accepted in all positions of HTTPPOST option values" for the
same version. If the problem only existed in unshipped code between
7.19.5.1 and 7.19.5.2 as tuple support was being developed, then it
typically would not have a CVE ID.

> I haven't looked into the code in any detail for exploitability

Anyone is welcome to provide additional analysis. We can accept a
threat model in which a Python script allows an untrusted person to
control the string data for properly formed setopt calls. We probably
can't accept an implausible threat model in which a Python script
allows an untrusted person to make improperly formed setopt calls.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWORI9AAoJEL54rhJi8gl5jNUQALG063HFSrdfMbFire7l1S+/
GU/KMqaHAr2zM+GYNevtUyrid/B9A1wQ4WRcKE5HkGrD5OrEWwLyajdVjdnIHk9R
qxI8nmHNQi4r2x6JUx6KuuL774NmjVU0IIJHJ6+ca6Z9ZXRI6snZWnBVxBeUerNp
DhJiuo/VQ6fFJUrT0RrudiG7neG6ml33KsgZ0eMFQWOLejLetVoVJT5l0N9LWkJ6
clyywFN8c+OeDjQxRfnDuvBPnzr4D+YB8US+d9suDiRR9vWHxyKMqj58rTr+UVn4
y/NGqCpV+c8DFx64s08pKNOxKy61Sa+xHsEu3OokIpqVmbrw/aAogLrJBdE1hYBM
oaoI8DqbO7kb2y80WEpzeSpXinpeP9dfD3p6dTtnNhfRSGUKp9vGnw1+XnPAylE6
qm9NfSE8laViO888lCFPFcGq26bIuhzkPMaVbtv5XN3onePnZj7gSat6Bk8kRNPE
Dwjac094EmRrvE2ve4ABEYlxxDyyazRF57BfRPUQVfgPytQX17ed1TPfTyjHTB6U
9d4YHie9z4ud7NR+C8QZjmCIybZnaCZJBodcfIAyIpVH1OXP7a4kr0vy2FaEWA8R
nPPqp65Y8BKdfzjKcVk1AbrDkvg/tpZAYWWM++8Yk+dunouCdnjXeJFjphmJuac1
fKRoWuusiPUA6aACQki0
=AH8p
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.