Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 24 Dec 2016 12:30:11 -0500
From: <cve-assign@...re.org>
To: <oss-security@...ts.openwall.com>
CC: <cve-assign@...re.org>
Subject: Re: Qt QXmlSimpleReader

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

In case anyone immediately needs to track QXmlSimpleReader behavior,
we're assigning an ID for one issue that seems best understood at this
point:

> I just found that (at least for a rebuild of the RHEL7 package of
> qt-4.8.5-12) it is possible to trigger a stack overflow by nesting many
> XML opening tags. Luckily, there doesn't appear to be a way to jump
> over the guard page to another thread's stack on RHEL7/x86_64, but
> that's platform specific.

Use CVE-2016-10040.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYXrAJAAoJEHb/MwWLVhi238YP+gIKi52EJvWROru80v6ROwz/
KkfY2zyKmbbp3EQ33yuzjtdO2UWHW99oYph+4adlYdpMo3szFHSrHc8zvsdsM1j6
xbZK3bj8IYp2jN+B8adKEnY3VgsmXJ2kqa6B+Fvs6fDBjSB0oJ5WBHSBATrv0vg5
zSHSVjf3I3aNEI7MFsGNWqY1T4QZmpUOx4td2ofAToxZqyYeHhcfxXM4kuhXrraL
Dve31NR0RtWELMLexx9c1GFTftkhzspoXeVachJOoxeaGxZfOnXAEf7+6z8mq3cV
ytRFhdncbLwuwAbxy34po7LXh0m5LbQJuBc3RUSntxIb3E6n52X4fpf9CYvQDavq
s4lPuMMo4OyQ7uEEsf20T2k4nAsme18QigKmGAIPDnwVIJp0HStjky5+HgkK/5by
bSttkBIyHNaYf9LTRVBZD/NWeoSkVhen6rqcKhd4JNy3DduoirRhp0rUN7QteW35
5tvvAXeyfxd7FWLBBFgE2VQeDm9StrobdEuFUL/SFimrN0e/UX9RHBU34b6D/XlJ
FaRj7eSwEtGl2lTZym27xuSIcQ08m4SU+paUcWxcIjcDgNI7f9oIAPLrcB7b6fNz
isuovpCpGIDROdc8MuBu0SAmz3wVipC9x0aQcoVE+VH18dJtaB+aoiEY57Eri5Fp
mIbe+axP5b0rPKySAXRx
=sy6o
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.