Date: Tue, 1 Dec 2015 23:58:11 -0800 From: Seth Arnold <seth.arnold@...onical.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com, guidovranken@...il.com Subject: Re: Re: CVE Request: dhcpcd 3.x, potentially other versions too On Tue, Dec 01, 2015 at 11:58:47PM -0500, cve-assign@...re.org wrote: > MITRE will assign CVE IDs. Do the above references mean that most of > the changed code lines in dhcp.c.patch correspond to out-of-bounds > reads shown in the > http://roy.marples.name/projects/dhcpcd/fdiff?sbs=1&v1=63689c50411b0920&v2=dad877391ea5b128 > diff, I had expected this part of the diff to address the out-of-bounds writes: if (out && out != start) *(out - 1) = ' '; > the change from "(l = *q++)" to "(l = *q++) && q - p < len" > corresponds to an out-of-bounds write, I must confess that I skimmed the protected code block quickly when coming to the conclusion that this was out-of-bounds reads -- it's intricate and involved and the q - p < len check looked correct. But the memcpy(out,...) call does look like it'd also perform out-of-bounds writes. > the deletion of "free > (dhcp->dnssearch)" corresponds to a use-after-free, and nothing else > in the 2012 part of the http://roy.marples.name reference is a new > vulnerability? (This is just a guess.) I should point out that it's my summary that it's a use-after-free -- Guido said in his report that it is a double-free. > The reason we're asking this and not immediately sending three CVE IDs > is that someone at MITRE will ultimately use, or at least consider > using, both https://launchpadlibrarian.net/228152582/dhcp.c.patch and > http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74 > to describe what the CVEs mean. If there's already information about > the equivalences between these references, that will make this process > easier, and also further confirm that three IDs is the right number. I'm afraid the MITRE crew has a more difficult task than we do. Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ