Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 25 Jun 2016 08:54:42 -0400 (EDT)
From: cve-assign@...re.org
To: bperry.volatile@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: libical 0.47 SEGV on unknown address

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> filename=segv.ics.bug
> This bug attached had not been reported yet.
> 
> AddressSanitizer: SEGV on unknown address
> 0x4fbb7f in icalproperty_new_clone

Use CVE-2016-5823.


> https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 (Opened a month
> ago. After Tyson reproed the bug in libical, no responses).

Use CVE-2016-5824.


> The following three bugs are distinct heap over-reads in libical
> (tested against libical 0.47 and 1.0) which have had little to no
> reception by Mozilla.

> https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

Use CVE-2016-5825.


> https://bugzilla.mozilla.org/show_bug.cgi?id=1281041

Use CVE-2016-5826.


> https://bugzilla.mozilla.org/show_bug.cgi?id=1281043

Use CVE-2016-5827.


MITRE has no role in determining the list charter, but
http://oss-security.openwall.org/wiki/mailing-lists/oss-security says
"List Content Guidelines ... Any security issues that you post to
oss-security should be either already public or to be made public by
your posting." Because you apparently are publishing both the
research methodology (i.e., AddressSanitizer) and the types of
findings, this is close to a public disclosure but may be outside
the spirit of the list. (We definitely would not have responded here
if the one fully described case, segv.ics.bug, had been omitted.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXbn6tAAoJEHb/MwWLVhi2c7kQAKkdy6WSLV6WAmDF8uJWmJWE
phCI6blik9Gts60jWous3yGJwtKGCapxAiOKPSK4Cwoftx6fgzCjrdZpmrb9PCdK
4eBAByZhThVoFXRWQexWHJgbDG+JD+eMmNGfYMAEbCuVShqrvBeTi7jmB8BcbAzS
XbMfP8d9cjMD+P6Hq9HRXWytRqkdvQ7J54sr0oNmefdKtjbwR5M5mcCacYKomTVf
c0ejV1BuLWnQ/qxoz8eB+3tXUXZWtUbssXI+WnyAV88IuRc8SlSZtl/Y/dbBb68V
XBV+nlgWRyN66gbcMufV/1Uo2/E+xfqjKuj2VXdI+oWnsjjvAo7oIMVwN8hoJE7G
imX6srWFpfJ12qeFcD2b6Lp6KvI3wvDX3uirZ3RAzR0m0sOw/ZMR+uKx5QH4m06s
npqpfYLx/GqtCCjkBSirHqC4KKnFwG1GDDjHPIionZLQYSNOGWsZ3AEog/6a5lma
6k5cy+weP1HYdEnJdri01nH9xFk/A7KWbLo3q/ncQmJZiAO3fK45I/IJxjDlKgZ2
4LUdackzFqHDUYjy7mXciRRSgaHJwWWPs5WOV3I0W4P6nYd2iyBFTtJF1/U+cD22
GEfALIX1q2qq8BJhncP20cYLI7H8WWawVHYSpF2eyFPbfroY0zcfEiiH/54KiYrY
7FyUt5hF3MaNWaUx3Su5
=O5An
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ