Date: Fri, 06 Nov 2015 22:07:27 +0100 From: Luca Bruno <lucab@...ian.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Re: Review+CVE request: multiple issues in redis EVAL command (lua sandbox) On Friday 06 November 2015 12:07:30 cve-assign@...re.org wrote: > > https://github.com/antirez/redis/issues/2854 > > https://github.com/antirez/redis/issues/2853 > > https://github.com/antirez/redis/issues/2855 > > As far as we can tell, 2854 and 2853 do not need to be categorized as > vulnerability reports, but 2855 is a report of at least one > vulnerability. See the initial CVE ID assignment below. > [...] > Our feeling is that the sandboxing is not (yet) intended to define a > security boundary with any practical value, and thus ability to defeat > the sandboxing will not have a CVE ID at present. > [...] > Use CVE-2015-8080 for the "getnum ... integer wraparound ... thus > returning a negative value" vulnerability. Thanks for the prompt and detailed review! I understand the line of reasoning and I've no further technical comments on your analysis. All bug reports have been updated with appropriate references. Cheers, Luca -- Luca Bruno (kaeso) Security Engineer Rocket Internet SE -> GPG: 0xBB1A3A854F3BBEBF [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ