Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jan 2017 12:21:42 +0100
From: Raphael Hertzog <>
Cc: Gustavo Grieco <>
Subject: Re: CVE-2016-9584: heap use-after-free on libical

On Fri, 20 Jan 2017, Gustavo Grieco wrote:
> > Any reason why you did not request a CVE for #251?
> Yes. It was already reported here:
> (CVE-2016-5824)
> but it was never officially reported upstream (and therefore, never fixed).

It was reported in but then
closed by the submitter.

You could have stated in #251 that you believed this crash to be the same
than the one above. It was not obvious to me, I did it for you.

> >> It is worth to mention there is a very similar bug found (CVE-2016-5824) on
> >> the libical version used by
> >> Thunderbird but we think is *not* the same as this one. In fact, we've
> >> tested it on Thunderbird and it does *not* crash.
> >>
> >> The reproducer is available upon request.
> >
> > #253 has a reproducer here:
> >
> >
> > Is this the same file?
> It is not the same file in fact. We found a variation of the original
> input that trigger this
> read out-of-bounds to read more than 60 bytes. This looks more serious
> than usual (maybe you can read as much as you want) .
> We had some complains in the past for making public test cases ..

Here, I'm lost. You said that this oss-security report (CVE-2016-9584) is
the same as #253 but you have another file than the test case
submitted in #253.

Are you sure that this second file is the same underlying issue ?

> > If it's a different file, then I'd like to have access to the file but I
> > would prefer if it was just available publicly and not to me only.
> Feel free to make the file public if you want.

You would have to send it to me first :-)

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS:
Learn to master Debian:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ