Date: Sun, 30 Dec 2012 13:05:42 +0200 From: Marko Lindqvist <cazfi74@...il.com> To: Kurt Seifried <kseifried@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: About CVE-2012-5645 On 30 December 2012 05:48, Kurt Seifried <kseifried@...hat.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/21/2012 05:26 PM, Marko Lindqvist wrote: >> I saw message that Freeciv bug #20003 has been assigned >> CVE-2012-5645 : http://seclists.org/oss-sec/2012/q4/484 >> >> I'd like to clarify things a bit. It was not single issue, but >> more like two separate issues. Most importantly this leads to patch >> listed >> (http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670) >> to fix only part of the problems described. Something like: >> >> A denial of service flaw was found in the way the server component >> of Freeciv, a turn-based, multi-player, X based strategy game, >> processed certain packets (invalid packets with whole packet length >> lower than packet header size). A remote attacker could send a >> specially-crafted packet that, when processed would lead to freeciv >> server to terminate (due to memory exhaustion) >> >> >> The other half: A denial of service flaw was found in the way the >> server component of Freeciv, a turn-based, multi-player, X based >> strategy game, processed certain packets (syntactically valid >> packets, but whose processing would lead to an infinite loop). A >> remote attacker could send a specially-crafted packet that, when >> processed would lead to freeciv server to become unresponsive (due >> to excessive CPU use). >> >> is fixed in >> http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701 >> >> >> >> Both are fixed in 2.3.3 (and patch versions applied to the stable >> branch S2_3 release was made from: >> http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672 , >> http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21703 ) >> >> >> - ML >> > > Hmm I'm waffling here. The issues are the same version/reporter, > roughly the same, can you post the http://cwe.mitre.org/ identifiers > for these two issues? If they are different enough this might warrant > a CVE split but for now I'm leaving it merged. Yes, had it fixes for both parts listed from the start, there would be no problem. The problem is the confusion over where CVE-2012-5645 is really fixed. Based on the original description here some distributions claim CVE-2012-5645 fixed now that they have applied one patch only. If you just add second fix to CVE-2012-5645, there will be no way of telling if particular logmsg about "CVE-2012-5645 fixed" means it's fixed completely, or only half of it. - ML
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.