Date: Tue, 1 Dec 2015 23:58:47 -0500 (EST) From: cve-assign@...re.org To: seth.arnold@...onical.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, guidovranken@...il.com Subject: Re: CVE Request: dhcpcd 3.x, potentially other versions too -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Guido included a patch along with AFL-discovered inputs to trigger the > issues: > > https://launchpadlibrarian.net/228152582/dhcp.c.patch > > Roy Marples has already addressed these issues in upstream dhcpcd > packages; I believe these issues may require 2012-era CVE identifiers: > > http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74 > > I believe this represents three distinct flaws: out of bounds reads beyond > the end of the supplied packet, out of bounds write before the start of > the 'out' parameter, and a use-after-free. MITRE will assign CVE IDs. Do the above references mean that most of the changed code lines in dhcp.c.patch correspond to out-of-bounds reads shown in the http://roy.marples.name/projects/dhcpcd/fdiff?sbs=1&v1=63689c50411b0920&v2=dad877391ea5b128 diff, the change from "(l = *q++)" to "(l = *q++) && q - p < len" corresponds to an out-of-bounds write, the deletion of "free (dhcp->dnssearch)" corresponds to a use-after-free, and nothing else in the 2012 part of the http://roy.marples.name reference is a new vulnerability? (This is just a guess.) The reason we're asking this and not immediately sending three CVE IDs is that someone at MITRE will ultimately use, or at least consider using, both https://launchpadlibrarian.net/228152582/dhcp.c.patch and http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74 to describe what the CVEs mean. If there's already information about the equivalences between these references, that will make this process easier, and also further confirm that three IDs is the right number. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWXnlaAAoJEL54rhJi8gl5Q/0QAJzOV3xnzo16eq+p9b8MJSC1 ZLSo7294EIeH1CzEDI4oQ2xS131awBKe8vBZl3zkp/LAaRyX6RJlIaaryAXKY6/v UleGiE/PoEewBUzrP1CkavScF+u8u/xq3lhSWA21v7p5QQrTal90S/aOxkEErNNJ OEnS8PEFBJLq3bI5K/jlUz0rlc3WA1yjIMws0rRjPwqJ+ZvHMKhfXRG8/pYgIyYi UEvVF4IBZ015GQVuomkidtPJFB2R3a9YkAT2Kv7HER0Ub071uLU/J2+HeOV79KBu Dg36gKbJDgXXBLP/UombCVgXZWURwPH/tUg62Ilq8J9GSJAaHuLStjdWXMwhFyJJ bVTX6BJ5pM9qkZ3V0alTBBILVvqBNR6Pc/uMIsxVF38nr3aa2daUUXhAaMvKLgE0 1X+5oAvQE3GHn6i2aLCBziKNMx3y5n5kNdDfcmzEPSWnciOAcmWDxXjgh6I2X51r /KmD/An5wkriQqCbzGAzB5lUw/OIYN5YrJIpkvJNC5aCWZOT/e7W1eswEvf0falx Q1ZRmDU5HulEtyA5mKGenaNWfxs5BsDwhwwkTEvn9+Gi4gx9LoyNeGDTg7THzcdB vOKOldjBEEgmr4Z5bFJulCMa38SZUw2Idiv2CR30i/YGFYZX2L8s1NOuG9W3J7YK r8NaHJ5vFJeH+sNqOhZf =jJ31 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ