Date: Mon, 7 Aug 2017 08:15:14 -0400 From: Glenn Randers-Pehrson <glennrp@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Cve issue discussion Do memory-exhaustion bugs get a CVE? Suppose an application is fooled into requesting 2Gb of memory but then never uses it other than attempting to read it, immediately hitting EOF, and cleaning up. I'm addressing such a bug in libpng right now, in which the user is sent a PNG file containing a tEXt chunk that claims to have a 2GB length (but none of the 2GB data is included in the PNG). On my platform libpng deals with that almost instantaneously, but I think some platforms (ASAN builds?) would actually allocate the memory before proceeding to read the data. Glenn On Mon, Aug 7, 2017 at 5:47 AM, ne xo <nexo123@...look.kr> wrote: > Hello, > > thank you for the reply! > > I chose the report at random. > > I'm sorry if I was offended to mention the report. > > Thanks. > <http://aka.ms/weboutlook> > ________________________________ > 보낸 사람: Agostino Sarubbo <ago@...too.org> > 보낸 날짜: 2017년 8월 7일 월요일 오후 4:42:05 > 받는 사람: oss-security@...ts.openwall.com > 제목: Re: [oss-security] Cve issue discussion > > On Monday 07 August 2017 01:03:53 ne xo wrote: >> Hello, >> >> >> I am curious about issuing CVEs. >> >> I can see that a "NULL pointer dereference" or a bug where the exploit has >> not been verified also get a CVE. > >> >> heap-overflows may or may not be exploitable. >> >> >> It takes a lot of time to analyze the exploit and create the exploit code. >> >> >> Is it right to be assigned a CVE only if it is exploitable? >> >> >> Or do you think all bugs need to get a CVE? >> >> >> Thanks. >> >> --- >> >> ref >> >> --- >> >> http://www.openwall.com/lists/oss-security/2017/04/10/17 - NULL pointer >> dereference >> http://www.openwall.com/lists/oss-security/2017/04/10/15 - >> memory allocation failure > > Hi. > > Since you mentioned some issues reported by me, let me answer directly. > For the first, it is an undefined behavior, so actually you don't see the > crash. > Nowadays, the undefined behavior issues do not get anymore a CVE. > > > For the second, ASAN reports that the program want to use more that 64GB of > ram to execute the process so ASAN hangs the process. In this case is up to > the maintainer check whether there is a problem in the code or not, or it is > expected. The better double-check would be verify what happens without ASAN. > > I'd like also to mention that MITRE assigns CVE after they analyze the > reported issue, so if an issue does not deserve a CVE, MITRE probably won't > assign accompanied by an explanation. > > -- > Agostino Sarubbo > Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ