Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 25 Jun 2016 08:54:42 -0400 (EDT)
From: cve-assign@...re.org
To: bperry.volatile@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: libical 0.47 SEGV on unknown address

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> filename=segv.ics.bug
> This bug attached had not been reported yet.
> 
> AddressSanitizer: SEGV on unknown address
> 0x4fbb7f in icalproperty_new_clone

Use CVE-2016-5823.


> https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 (Opened a month
> ago. After Tyson reproed the bug in libical, no responses).

Use CVE-2016-5824.


> The following three bugs are distinct heap over-reads in libical
> (tested against libical 0.47 and 1.0) which have had little to no
> reception by Mozilla.

> https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

Use CVE-2016-5825.


> https://bugzilla.mozilla.org/show_bug.cgi?id=1281041

Use CVE-2016-5826.


> https://bugzilla.mozilla.org/show_bug.cgi?id=1281043

Use CVE-2016-5827.


MITRE has no role in determining the list charter, but
http://oss-security.openwall.org/wiki/mailing-lists/oss-security says
"List Content Guidelines ... Any security issues that you post to
oss-security should be either already public or to be made public by
your posting." Because you apparently are publishing both the
research methodology (i.e., AddressSanitizer) and the types of
findings, this is close to a public disclosure but may be outside
the spirit of the list. (We definitely would not have responded here
if the one fully described case, segv.ics.bug, had been omitted.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXbn6tAAoJEHb/MwWLVhi2c7kQAKkdy6WSLV6WAmDF8uJWmJWE
phCI6blik9Gts60jWous3yGJwtKGCapxAiOKPSK4Cwoftx6fgzCjrdZpmrb9PCdK
4eBAByZhThVoFXRWQexWHJgbDG+JD+eMmNGfYMAEbCuVShqrvBeTi7jmB8BcbAzS
XbMfP8d9cjMD+P6Hq9HRXWytRqkdvQ7J54sr0oNmefdKtjbwR5M5mcCacYKomTVf
c0ejV1BuLWnQ/qxoz8eB+3tXUXZWtUbssXI+WnyAV88IuRc8SlSZtl/Y/dbBb68V
XBV+nlgWRyN66gbcMufV/1Uo2/E+xfqjKuj2VXdI+oWnsjjvAo7oIMVwN8hoJE7G
imX6srWFpfJ12qeFcD2b6Lp6KvI3wvDX3uirZ3RAzR0m0sOw/ZMR+uKx5QH4m06s
npqpfYLx/GqtCCjkBSirHqC4KKnFwG1GDDjHPIionZLQYSNOGWsZ3AEog/6a5lma
6k5cy+weP1HYdEnJdri01nH9xFk/A7KWbLo3q/ncQmJZiAO3fK45I/IJxjDlKgZ2
4LUdackzFqHDUYjy7mXciRRSgaHJwWWPs5WOV3I0W4P6nYd2iyBFTtJF1/U+cD22
GEfALIX1q2qq8BJhncP20cYLI7H8WWawVHYSpF2eyFPbfroY0zcfEiiH/54KiYrY
7FyUt5hF3MaNWaUx3Su5
=O5An
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.