Date: Fri, 27 Jan 2017 12:21:42 +0100 From: Raphael Hertzog <hertzog@...ian.org> To: oss-security@...ts.openwall.com Cc: Gustavo Grieco <gustavo.grieco@...il.com> Subject: Re: CVE-2016-9584: heap use-after-free on libical On Fri, 20 Jan 2017, Gustavo Grieco wrote: > > Any reason why you did not request a CVE for #251? > > Yes. It was already reported here: > https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 (CVE-2016-5824) > but it was never officially reported upstream (and therefore, never fixed). It was reported in https://github.com/libical/libical/issues/235 but then closed by the submitter. You could have stated in #251 that you believed this crash to be the same than the one above. It was not obvious to me, I did it for you. > >> It is worth to mention there is a very similar bug found (CVE-2016-5824) on > >> the libical version used by > >> Thunderbird but we think is *not* the same as this one. In fact, we've > >> tested it on Thunderbird and it does *not* crash. > >> > >> The reproducer is available upon request. > > > > #253 has a reproducer here: > > https://github.com/libical/libical/files/627392/heap-use-after-free.ical.txt > > > > Is this the same file? > > It is not the same file in fact. We found a variation of the original > input that trigger this > read out-of-bounds to read more than 60 bytes. This looks more serious > than usual (maybe you can read as much as you want) . > We had some complains in the past for making public test cases .. Here, I'm lost. You said that this oss-security report (CVE-2016-9584) is the same as #253 but you have another file than the test case submitted in #253. Are you sure that this second file is the same underlying issue ? > > If it's a different file, then I'd like to have access to the file but I > > would prefer if it was just available publicly and not to me only. > > Feel free to make the file public if you want. You would have to send it to me first :-) Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ