Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 5 Mar 2014 14:08:31 -0500 (EST)
From: cve-assign@...re.org
To: huzaifas@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for two net-snmp remote DoS flaws

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 1. net-snmp: denial of service flaw in Linux implementation of ICMP-MIB

> https://bugzilla.redhat.com/show_bug.cgi?id=1070396
> http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/

A first look at the patch suggests that it's about missing input
validation, and not also about independently exploitable off-by-one
errors in the sizes of data structures. In other words, although
something like:

  - struct icmp_msg_mib vals[255];
  + struct icmp_msg_mib vals[256];

would often be an independent security fix (255 is an unusual size),
here it's not a security fix relative to the original code. If other
analysis shows that that's incorrect, we'll add another CVE ID.

Use CVE-2014-2284 for the missing input validation.


> 2. net-snmp: snmptrapd crash when using a trap with empty community string
> https://bugzilla.redhat.com/show_bug.cgi?id=1072778
> https://bugzilla.redhat.com/show_bug.cgi?id=1072044
> http://sourceforge.net/p/net-snmp/patches/1275/

Use CVE-2014-2285.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTF3S0AAoJEKllVAevmvms15wH/A2vbg+phBFo/ChivsN7fVRJ
iVCRCFG7b81xVeZmnMPE0EM1YXaGefG9cYdKmRtnaCO5p2anuuJgzpjB+rE37C7a
T2+rZIrhmkyOYmxUoebGrzwAqU7l0IqLfP5GOZJ8vbuaVyMWd8VJ6nlzmq8kF1yZ
fGToucAz2jsDKOctGs6R8GGkKjNI5WdpgxkgQ6rrEdW0VfQzW7uz0AcgdXtmHjx1
DerxDuhQxTGGrT+salAa3n8eNV7kBmfsroR72gv7agdW2hZ7E74c5CZG8hfwmNgN
qcijF53zMJ46+u5nbm84ic7Rtopms/edABSd/DmZVHRGEs+ZILpvcWX47nX3wAM=
=BxeE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.