Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri,  9 Sep 2016 10:45:38 -0400 (EDT)
From: cve-assign@...re.org
To: chenqin@...sec.com.cn
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for webp:index overflow,used by memcpy later

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Product: A new image format for the Web:Webp
> in function:ReadFunc
> 
> fixed here:
> https://chromium-review.googlesource.com/#/c/355380/
> https://cr-rev.appspot.com/bb50bf42b0a39bc378401a2d5d8eaa678813a92f

Do you know whether Google already assigned a CVE ID to this issue? If
not, do you have access to any of the Google web pages that might
contain the CVE ID if it exists?

An attempt to retrieve the above cr-rev.appspot.com URL results in:

  Location: https://chromium.googlesource.com/chromium/src/+/bb50bf42b0a39bc378401a2d5d8eaa678813a92f

and that second URL results in:

  404 Not Found

Also, https://chromium-review.googlesource.com/#/c/355380/ refers to
https://bugs.chromium.org/p/webp/issues/detail?id=302 but that is
currently not a public bug page.

Finally, https://chromium-review.googlesource.com/#/c/355380/
indicates that this is an issue in the examples/pngdec.c file. A crash
bug in an example program does not necessarily qualify for a CVE ID.
However, in this case, examples/pngdec.c is apparently used to build a
library called libexample_dec, and it's conceivable that arbitrary
applications rely on libexample_dec. (It also seems unlikely that a
Google product relies on libexample_dec; that may be a reason that
Google did not assign a CVE ID.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX0sqnAAoJEHb/MwWLVhi2E28QALdM2bA72+4irx6Sh61s5JsS
rToRlvwZpIS5vvDm4TQQOhnviGTGSbUhwuA30p/0Xb8/35gKIhV70QLxIDLZPmHj
gTBowDLV5ffddz5mVkL2cXMnecChuT1v2QsO4jW4WCx/yZoDYrDKTbPiwUENb/pU
I6jg4k1uOJYpvLnPFT56kXD4BDeApqFjAZEfgG7lcdSDIKGN/tNr4kiCsrUVGqE6
oZyQFJz/BvWmncIEcTBkc7aHxXsUdt6rSMuL5QyapilGBclj7M5NmK82Bq+SDNfD
QTVX1fp7gCL8NNDI1SJKBjX/KEp4bGp4NKavifxaZmEn5pq2vBp4uItD/5rn0m6T
nvp7Zvztv0YgdBrlY5M1fhhEo3YFO0+x+NXkBfsi8sbV1G+jQaG1jmjYPQHJaa2e
A/fMInUDO+XqtJBnUPXTM+ZKINj6hH63ar+xi+Dsva8ri++kNooFlMeabpKw7AmQ
+X1RWDqDbWD9sBneG4MBhem3mZRbmvwQGLyBDO84Zxqq4a55ymA+wjz//La00Vn1
G5Qo6rhZFEIUWyqdTkeCE6DLuTtq0xopa+B70WI+MSrq3Bi4QGYNFylyBFURgxns
qzXbRUNqx1F6IrdsljMSyhzB9xwMD6EZUoEiRqFQYt/BDXfk3JqyP6bfapE8ZcyA
jYF48PtLBOUE6wVh0UJi
=scJU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.