Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 15 Dec 2016 12:47:41 -0500
From: <cve-assign@...re.org>
To: <carnil@...ian.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: Game Music Emulators: incorrect emulation of the SPC700 audio co-processor of SNES: arbitrary code execution via malformed SPC music file

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html

> 1: Missing X register value clamp for the MOV (X)+,A instruction

Use CVE-2016-9957.


> 2: Missing SP register value clamp for the RET1 instruction

Use CVE-2016-9958.


> Although most operations on the A, X and Y registers clamp the
> resulting values carefully, the very interesting new multiply
> instruction, MUL, does not:
> 
> generate 8-bit register values that are out of bounds

Use CVE-2016-9959 for this MUL vulnerability.


> the DIV instruction is just as interesting as the MUL one. It also
> does transforms on the values of incoming registers, leaving the
> results in the A and Y registers, without any clamping on the Y result

> Even though this code is fairly simple, I don.t claim to understand it
> 100%, particularly with large input values. What I do know is that I
> see various integer overflow opportunities, integer underflow
> opportunities, less useful div-by-zero issues, etc.

There does not seem to be enough information for a detailed CVE
mapping of the DIV behavior.

Use CVE-2016-9960 for the divide-by-zero errors.

Use CVE-2016-9961 for the other mishandling of integer values.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYUtTVAAoJEHb/MwWLVhi2MM8P/19Vn5IpJepycCBEWK1v+hGy
AWvrShniZPMU5zF8hZq+mpzw0/m52Sopwd20aYe2jINiHs1+bv+PfbCDkqH3c3Bv
7rbLKHKeftsB3XRufVpBiSW/c/HguprTinIFoDJhR2752PRGZ8fIKSHM9JRQQlRt
6TqJE8h3eIvduzsJI8otg4eqtWUji6UkurUuBeYh8oK6VTGYZEQZ2WjMaF1HsYz8
RJcHHr9auEnS6YJh4mHb/iwW1duSHSw/Q5Z8iwMGrkKnqbat+mA1XcOzTaOYcQat
yjQMoFLVHmMXmEtWQoYJY9EdYj2xvSo9tpPXgtRS3ozKjeri/g/vNpefErBSdRnS
FaaELv8BxHg1Yw90BHk4+miXDSOLrNl646ZA7cnIGTzI0Rg9aqPkhTUn/NyoKoQ4
O66ToS4OE+zufKTiKFQUifX2reL/C8/zJuLIT2QxqUeXzS5XNDnX3GrGGJikqz2v
OSlMirr6m3zetBvJkx7uTXl+vpQVSHzOFI7efKEp2xuXC3hv0TYiIPXdNfRIM7CL
ut1qIGdpdJpWiA2dfgKEsArbjvqPRGa31D3+RbDwoeFsrViXg5zwAXsY3TnwyotS
2FQ3Vh/ozWQgjcf6g0hcWfwxo5W2igPEOG8sYXgsnJ6tMk1C+3Uy/4ocAMxIyZKZ
NYIBp2AGdYbNm6R7Ck7J
=m+et
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.