Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Aug 2017 08:15:14 -0400
From: Glenn Randers-Pehrson <glennrp@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Cve issue discussion

Do memory-exhaustion bugs get a CVE?  Suppose an application is fooled
into requesting 2Gb of memory but then never uses it other than
attempting to read it, immediately hitting EOF, and cleaning up.

I'm addressing such a bug in libpng right now, in which the user
is sent a PNG file containing a tEXt chunk that claims to have a 2GB
length (but none of the 2GB data is included in the PNG).  On my
platform libpng deals with that almost instantaneously, but I think
some platforms (ASAN builds?) would actually allocate the memory
before proceeding to read the data.

Glenn


On Mon, Aug 7, 2017 at 5:47 AM, ne xo <nexo123@...look.kr> wrote:
> Hello,
>
> thank you for the reply!
>
> I chose the report at random.
>
> I'm sorry if I was offended to mention the report.
>
> Thanks.
> <http://aka.ms/weboutlook>
> ________________________________
> 보낸 사람: Agostino Sarubbo <ago@...too.org>
> 보낸 날짜: 2017년 8월 7일 월요일 오후 4:42:05
> 받는 사람: oss-security@...ts.openwall.com
> 제목: Re: [oss-security] Cve issue discussion
>
> On Monday 07 August 2017 01:03:53 ne xo wrote:
>> Hello,
>>
>>
>> I am curious about issuing CVEs.
>>
>> I can see that a "NULL pointer dereference" or a bug where the exploit has
>> not been verified also get a CVE.
>
>>
>> heap-overflows may or may not be exploitable.
>>
>>
>> It takes a lot of time to analyze the exploit and create the exploit code.
>>
>>
>> Is it right to be assigned a CVE only if it is exploitable?
>>
>>
>> Or do you think all bugs need to get a CVE?
>>
>>
>> Thanks.
>>
>> ---
>>
>> ref
>>
>> ---
>>
>> [1]http://www.openwall.com/lists/oss-security/2017/04/10/17 - NULL pointer
>> dereference
>> [2]http://www.openwall.com/lists/oss-security/2017/04/10/15 -
>> memory allocation failure
>
> Hi.
>
> Since you mentioned some issues reported by me, let me answer directly.
> For the first, it is an undefined behavior, so actually you don't see the
> crash.
> Nowadays, the undefined behavior issues do not get anymore a CVE.
>
>
> For the second, ASAN reports that the program want to use more that 64GB of
> ram to execute the process so ASAN hangs the process. In this case is up to
> the maintainer check whether there is a problem in the code or not, or it is
> expected. The better double-check would be verify what happens without ASAN.
>
> I'd like also to mention that MITRE assigns CVE after they analyze the
> reported issue, so if an issue does not deserve a CVE, MITRE probably won't
> assign accompanied by an explanation.
>
> --
> Agostino Sarubbo
> Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ