Date: Thu, 17 Jul 2014 14:48:21 -0400 (EDT) From: cve-assign@...re.org To: rdecvalle@...are.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, thoger@...hat.com, mmcallis@...hat.com Subject: Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Use CVE-2014-4975 for the issue that was fixed in: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=46778 This is an issue that is mentioned in: https://bugs.ruby-lang.org/issues/10019 but no final information is yet available about whether this is the same as the issue specified by the Description section of Bug #10019. At this point, it seems likely that that Description section will be mapped to a different CVE ID for a vulnerability related to pack("m0") calls. Note that, within the two references above, the CVE-2014-4975 issue is referred to by all of these terms: - the off-by-one issue - the off-by-one overflow - the pack.c encodes buffer overrun fixed in Revision 46778 Those three phrases above refer to the same issue. The issue that doesn't have a CVE ID might be referred to by all of these terms: - the issue from the Bug #10019 Description section - the issue from the reporter - the original Will Wood report - the issue reported for an AWS sample - the issue involving the aws-sdk gem or its dependencies - the issue involving pack("m0") calls Finally, just to clarify, the issue that doesn't have a CVE ID is also called "buffer overrun in pack.c (encodes)" but this might or might not be the same as "the pack.c encodes buffer overrun fixed in Revision 46778." - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTyBnAAAoJEKllVAevmvmsSMUH/jxTMolgs5Sy8rl8OLYT2bez VFguZQLdS5OAOhVbUX8Ju25lbKkyGQ4743NShvKT5K9Uw/REcLmU6et57Bzf2ZhR +8AuKCiYDROpu9DpXkk2epWI31W8oIV74exvlEms3B1VkEJBggxUb1TPemEBj23Z 80z2MGm61hNBTkjuDnjh0Z2kStn9iBYAIw8+tTePzbTCPzwCXi6/n+rtyzx+m93A ocnz1Wrqkrjy0lA6FsSayYI9eympbl6o9t3KYaKPvLcBVwOVRhZRSTKjuweBMj37 YmxgJAuCD+8OTV5aW2C0lYVMkLzmthlJj/PiE7XarNNHQRQDsYcKDOaNoJ/6MTg= =4Kug -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.