Date: Tue, 05 Nov 2013 18:08:31 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/05/2013 04:50 PM, Vincent Danen wrote: > * [2013-11-05 23:29:08 +0100] Marcus Meissner wrote: > >> On Tue, Nov 05, 2013 at 11:17:21PM +0100, Florian Weimer wrote: >>> * Vincent Danen: >>> >>>> The reason this doesn't crash for me on Red Hat Enterprise >>>> Linux 5 >>> which >>>> ships 1.1.17 is because we included this patch (well, the >>>> developer >>> did) >>>> a day after the initial build with the comment: >>>> >>>> - CVE-2012-2825 requires an extra patch on 1.1.17 >>>> >>>> So, I think this does require a second CVE. >>> >>> Has anyone shipped an incomplete update? If yes, then I think >>> we actually need a second CVE. In the past, we got them for >>> similar cases, and at least Debian's tracking more or less >>> assumes that it's possible to assign CVEs to deal with such >>> corner cases. >> >> SUSE did, otherwise we would not have noticed :/ > > Heh. > > The other point is that CVE-2012-2825 affected before and after > 1.1.25, whereas this one really only affects < 1.1.25 so it's > either a different flaw or that commit (fixed in 1.1.25) is > actually an incomplete fix, and CVE-2012-2825 is the "fix of the > fix" CVE. So to minimize confusion (I hope) because this became well known as a security issue only recently I'm assigning a 2013 CVE instead of a 2009 CVE. Please use CVE-2013-4520 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSeZaPAAoJEBYNRVNeJnmTASMP/ilTtVL/89hYhKtc0urMNmQU 9z9Dw+VpT0MiCXnJ4H6w/AA4L/JYymh+CFR9sIGyf3PO4NmfxSAH3M99SMluEeFq /Zc4TrMXD9E8SQGhrJ68CqOnwetzqdaimVDb66cxMOz91uoHo7wa+u43Dek7fvq5 6Cn6VUNBxDk9YhcnGwHhCJm2KcrZwU2vqQqUrnF0EJJjVZF1HQwUyXTD197R9Tv0 W1LjikEslsBclIaJTTe5NFPNLdIWENFdF4OZ7skMjQmG/0Fj4mTDn44yQTsiPTmD Nk+9A2NrDuXb3WULHt1W7KYKi8aDh6XQic+qXc5E67+AJqmxv4NrUJPgSE1DLSG7 /ISalW81Zl+iDMNwjkqkGRF1sWXDpu2vLNJUokL2Y6wrJLGWBBZBUqxUKmLl3wD4 n22lc8uIDlygDlbOkABjDOY7kR62oY35169lOhYuOX7zRsLkgl57a/jAgu0/Nh2o g7/Laawi8crn3AHYyHnPdNCZkrRSfdAviEhX4a2VoSuITIYtMm7z3QuUY9RXMAo9 pqhWnX9NhHlNWqwfVovbbnarfPr/OlFXRoHNq+MVQr6FWZhE4XDty/dWXp8V/zZd C2h/3g6sxrhuE1hHta8DSX16Vw0KSH9adP+JksTxmDqsuaMKaE1qPjd3oh3nyLR+ OOuNp1r4bZSaxGW/3RaT =49RT -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.