Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jan 2017 12:21:42 +0100
From: Raphael Hertzog <hertzog@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Gustavo Grieco <gustavo.grieco@...il.com>
Subject: Re: CVE-2016-9584: heap use-after-free on libical

On Fri, 20 Jan 2017, Gustavo Grieco wrote:
> > Any reason why you did not request a CVE for #251?
> 
> Yes. It was already reported here:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 (CVE-2016-5824)
> but it was never officially reported upstream (and therefore, never fixed).

It was reported in https://github.com/libical/libical/issues/235 but then
closed by the submitter.

You could have stated in #251 that you believed this crash to be the same
than the one above. It was not obvious to me, I did it for you.

> >> It is worth to mention there is a very similar bug found (CVE-2016-5824) on
> >> the libical version used by
> >> Thunderbird but we think is *not* the same as this one. In fact, we've
> >> tested it on Thunderbird and it does *not* crash.
> >>
> >> The reproducer is available upon request.
> >
> > #253 has a reproducer here:
> > https://github.com/libical/libical/files/627392/heap-use-after-free.ical.txt
> >
> > Is this the same file?
> 
> It is not the same file in fact. We found a variation of the original
> input that trigger this
> read out-of-bounds to read more than 60 bytes. This looks more serious
> than usual (maybe you can read as much as you want) .
> We had some complains in the past for making public test cases ..

Here, I'm lost. You said that this oss-security report (CVE-2016-9584) is
the same as #253 but you have another file than the test case
submitted in #253.

Are you sure that this second file is the same underlying issue ?

> > If it's a different file, then I'd like to have access to the file but I
> > would prefer if it was just available publicly and not to me only.
> 
> Feel free to make the file public if you want.

You would have to send it to me first :-)

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ