Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Dec 2015 23:58:11 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com, guidovranken@...il.com
Subject: Re: Re: CVE Request: dhcpcd 3.x, potentially other
 versions too

On Tue, Dec 01, 2015 at 11:58:47PM -0500, cve-assign@...re.org wrote:
> MITRE will assign CVE IDs. Do the above references mean that most of
> the changed code lines in dhcp.c.patch correspond to out-of-bounds
> reads shown in the
> http://roy.marples.name/projects/dhcpcd/fdiff?sbs=1&v1=63689c50411b0920&v2=dad877391ea5b128
> diff,

I had expected this part of the diff to address the out-of-bounds writes:

		if (out && out != start)
			*(out - 1) = ' ';

> the change from "(l = *q++)" to "(l = *q++) && q - p < len"
> corresponds to an out-of-bounds write,

I must confess that I skimmed the protected code block quickly when coming
to the conclusion that this was out-of-bounds reads -- it's intricate and
involved and the q - p < len check looked correct. But the memcpy(out,...)
call does look like it'd also perform out-of-bounds writes.

> the deletion of "free
> (dhcp->dnssearch)" corresponds to a use-after-free, and nothing else
> in the 2012 part of the http://roy.marples.name reference is a new
> vulnerability? (This is just a guess.)

I should point out that it's my summary that it's a use-after-free --
Guido said in his report that it is a double-free.

> The reason we're asking this and not immediately sending three CVE IDs
> is that someone at MITRE will ultimately use, or at least consider
> using, both https://launchpadlibrarian.net/228152582/dhcp.c.patch and
> http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74
> to describe what the CVEs mean. If there's already information about
> the equivalences between these references, that will make this process
> easier, and also further confirm that three IDs is the right number.

I'm afraid the MITRE crew has a more difficult task than we do.

Thanks

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ