Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Aug 2017 14:37:56 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: Cve issue discussion

Hi,

if it could crash the image reader I would consider it "remote denial of service"
classed and CVE worthy. 

Ciao, Marcus
On Mon, Aug 07, 2017 at 08:15:14AM -0400, Glenn Randers-Pehrson wrote:
> Do memory-exhaustion bugs get a CVE?  Suppose an application is fooled
> into requesting 2Gb of memory but then never uses it other than
> attempting to read it, immediately hitting EOF, and cleaning up.
> 
> I'm addressing such a bug in libpng right now, in which the user
> is sent a PNG file containing a tEXt chunk that claims to have a 2GB
> length (but none of the 2GB data is included in the PNG).  On my
> platform libpng deals with that almost instantaneously, but I think
> some platforms (ASAN builds?) would actually allocate the memory
> before proceeding to read the data.
> 
> Glenn
> 
> 
> On Mon, Aug 7, 2017 at 5:47 AM, ne xo <nexo123@...look.kr> wrote:
> > Hello,
> >
> > thank you for the reply!
> >
> > I chose the report at random.
> >
> > I'm sorry if I was offended to mention the report.
> >
> > Thanks.
> > <http://aka.ms/weboutlook>
> > ________________________________
> > 보낸 사람: Agostino Sarubbo <ago@...too.org>
> > 보낸 날짜: 2017년 8월 7일 월요일 오후 4:42:05
> > 받는 사람: oss-security@...ts.openwall.com
> > 제목: Re: [oss-security] Cve issue discussion
> >
> > On Monday 07 August 2017 01:03:53 ne xo wrote:
> >> Hello,
> >>
> >>
> >> I am curious about issuing CVEs.
> >>
> >> I can see that a "NULL pointer dereference" or a bug where the exploit has
> >> not been verified also get a CVE.
> >
> >>
> >> heap-overflows may or may not be exploitable.
> >>
> >>
> >> It takes a lot of time to analyze the exploit and create the exploit code.
> >>
> >>
> >> Is it right to be assigned a CVE only if it is exploitable?
> >>
> >>
> >> Or do you think all bugs need to get a CVE?
> >>
> >>
> >> Thanks.
> >>
> >> ---
> >>
> >> ref
> >>
> >> ---
> >>
> >> [1]http://www.openwall.com/lists/oss-security/2017/04/10/17 - NULL pointer
> >> dereference
> >> [2]http://www.openwall.com/lists/oss-security/2017/04/10/15 -
> >> memory allocation failure
> >
> > Hi.
> >
> > Since you mentioned some issues reported by me, let me answer directly.
> > For the first, it is an undefined behavior, so actually you don't see the
> > crash.
> > Nowadays, the undefined behavior issues do not get anymore a CVE.
> >
> >
> > For the second, ASAN reports that the program want to use more that 64GB of
> > ram to execute the process so ASAN hangs the process. In this case is up to
> > the maintainer check whether there is a problem in the code or not, or it is
> > expected. The better double-check would be verify what happens without ASAN.
> >
> > I'd like also to mention that MITRE assigns CVE after they analyze the
> > reported issue, so if an issue does not deserve a CVE, MITRE probably won't
> > assign accompanied by an explanation.
> >
> > --
> > Agostino Sarubbo
> > Gentoo Linux Developer
> 

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ