Date: Thu, 5 May 2016 01:02:22 -0400 (EDT) From: cve-assign@...re.org To: boehme.marcel@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, bschmidt@...hat.com, florian@...h-krohm.de, nickc@...hat.com Subject: Re: CVE Request: No Demangling During Analysis of Untrusted Binaries -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > 1) Exploitable Buffer Overflow (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 As far as we can tell, you sent a CVE request for this vulnerability to cve-assign@...re.org (from a different email address of yours) on 2016-02-05, and we replied with a CVE ID on 2016-02-06. Is there an additional aspect of 69687 that you are reporting now? Our reply at that time was: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 >> Since n is a signed int, n wraps over at some iteration. Since, >> realloc expects n to be unsigned, we end up allocating less memory >> then actually needed. In the beginning though n is too large and >> xrealloc simply complains. However, if you play a bit with the length >> of arg, you'll quickly turn that integer overflow in a buffer >> overflow. Use CVE-2016-2226 for this incorrect handling of a signed int. > 2) Invalid Write due to a Use-After-Free (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 Comment 2 says "two distinct bugs." Use CVE-2016-4487 for the btypevec bug. Use CVE-2016-4488 for the ktypevec bug. > 3) Invalid Write due to Integer Overflow (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492 Use CVE-2016-4489. > 4) Write Access Violation (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498 Use CVE-2016-4490 for this issue described as "Root cause: In cp-demangle.c sometimes length-variables are of type long ... Other times they are of type int." Note that this CVE ID is not about the Comment 1 "case where consume_count returns -1" -- that comment does not belong in 70498 at all. > 5) Various Stack Corruptions (Patch under Review) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909 > https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00105 Use CVE-2016-4491 for this issue caused by a lack of checking for "has itself as ancestor more than once." > 6) Write Access Violation (Patch under Review) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 > https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00223 Use CVE-2016-4492 for both of the "first read the value of a length variable len from the mangled string, then strncpy len characters from the mangled string; more than necessary" issues. Use CVE-2016-4493 for both of the "read the value of an array index n from the mangled string, which can be negative due to an overflow" issues. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXKtL3AAoJEHb/MwWLVhi2+5gP/3qHIH8ngHS85trkFRrAiLtn 5nNVzyil6xjQCo7F7ScLfYQK0AfKGhBhQzO16dAI2hHMIRc8AaXH4cinRHHHQrYM hrwj5SoZoXMgrUZLZJ2v1H0oidBwMFUqprnC1NEgqNMoRw6DM0NZTsy4opgKCl1R dbSfqBybZr+qscnn4wAaN2ctOS0A2/PlSIxDJ5LRPEJyb+fLNVVnbj5LIybjD/To uPpQPkGKekK3oD52huRlb5hLy9qq3eVzoyu0Lup34ec0iRnLQjqwmYm8dZvbhPnt QMgZPe0iyRaQAtpE5nj7eZDhFuQ9vqS1KikzuinZRUkLcIGroGmnUtGdCCDUHzL1 s12c6fpGkU2Huuz9mgVrdtOKdcSyFnvEl14xMCQLBhf8LVNKQ9RkVaHPUWLt+0uw /BtwNCs6NSAGtfi0yuX4F76u3SGKTnell7Za9BJQKXZFeDtwTUc9N01eWGpovB1l um6HQ75vca6+kxlX6ZZn9Zm7Dr1CNtcCLfKka9MtxmfkaucV5vOjlqURA58jrpdS NJU5TgRr2WcFqI/3gfOzQFkz1R1voZMgQJEKNIRtLC04nLWxXwoRAGQ9oJK34y0Z BVoWD9jDc3lEXx+X5MOmUZy4+RQQl0qizLquLxqTXbRUBpgsFP0Mw/w7dWCkghCA kazRhIrShTety5Dx7/qO =Qvdr -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ