Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 18 Aug 2016 20:18:41 -0400 (EDT)
From: cve-assign@...re.org
To: rs@...skills.cz
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Requests Facebook HHVM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> -Fix out of bounds write access in
> mb_detect_encoding, mb_send_mail, mb_detect_order.
> https://github.com/facebook/hhvm/commit/365abe807cab2d60dc9ec307292a06181f77a9c2

Use CVE-2016-6870. The scope of this CVE is all of the incorrect uses
of strndup that were fixed in this commit. The commit message
references t11337047, which possibly is a bug that was discovered much
earlier. However, because we don't know of any earlier public
disclosure of t11337047, there isn't a separate CVE ID for t11337047.


> -Fix buffer overrun due to integer overflow in bcmath
> https://github.com/facebook/hhvm/commit/c00fc9d3003eb06226b58b6a48555f1456ee2475

Use CVE-2016-6871.


> -Fix integer overflow in StringUtil::implode
> https://github.com/facebook/hhvm/commit/2c9a8fcc73a151608634d3e712973d192027c271

Use CVE-2016-6872.


> -Fix self recursion in compact
> https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e

Use CVE-2016-6873.


> -Fix recursion checks in array_*_recursive
> https://github.com/facebook/hhvm/commit/05e706d98f748f609b19d8697e490eaab5007d69

Use CVE-2016-6874.


> -Fix infinite recursion in wddx
> https://github.com/facebook/hhvm/commit/1888810e77b446a79a7674784d5f139fcfa605e2

Use CVE-2016-6875.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXtk/uAAoJEHb/MwWLVhi2OFwP/Aig7rJ2rCVEyv+/KwDJBC+a
ufukAbNgsFbzHChTJxntRrWS3PJt7DKkZ4a2wlPzdUd4rQKGFObmMMm4OIWw2xaj
TiBngAelDRJNDNP/ZmkEySj9RGS33UMg+6QnI5pOFI3r7uXIqBau+cjIyq3diqUC
NFlaiFy2TcIb82bYRET3r4SIk8019uaP2rfN5CDLKuNPpYIM3d/Xo0490MwufTHh
QyTiFtFDwsZdtCQz5wFR949Lt+B6rEFdhzYDaqjJr9We6POxvy799/8LUI2UGtwN
P6UiCzS1o/ybx6QCh+Lx7wDNBuT/3t0aeFhWx1FJuFodtF9yiILMxD4BpaARlnva
4Nv/+TNhCmcGGLyE3wCrcAVeCX/QcsAaM9fXYVGy2SuqRmljW7sQIhpkaCIzQCwq
EEGCZMeqPBZ1pMlIJgKmWa0PvKfkv0nDtNhQqNN57hS3YcePE8rShO7+/HYRQaYL
zMe8u6OWVZr432Iwcia1Zjxnmi6ix1g3Ua8gz8oWAGrvw5/6T0gEzRyz+OB79+y+
3OKeE/GDQA/aVRutZciQrrHT30uzkgwtoAQdafur5Cna0cEqRQnclcwFxUfPdpr4
qJJFWH2vmPncge0xx2auUaDv8+7OBOonUvlmEWIfowSdg66D0Qm6EyqN6UNZqm5a
tVSy0zt3nnIATS36SGDd
=tBiw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ