Date: Thu, 12 Mar 2015 17:37:58 -0400 (EDT) From: cve-assign@...re.org To: fweimer@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: glibc scanf implementation crashes on certain inputs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://sourceware.org/bugzilla/show_bug.cgi?id=13138 > > causes scanf and related functions to crash when processing certain > inputs. This happens with the numeric conversions (%d, %f and others), > and includes valid numbers (ISO C allows crashes or worse on invalid > inputs, but glibc is buggy even by this standard). > > The first glibc version which received the fix for this bug is 2.15. Use CVE-2011-5320 for the https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c4 issue, i.e., the "huge string of zeros" attack vector. The scope of this CVE does not include the original "5"x21000000 input string for a %i argument. As far as we can tell, Bug 13138 doesn't resolve the question of whether a crash is a permitted behavior for that input. It seems that the relevant standards perhaps should have specified that that results in an ERANGE error without a crash, but the published wordings are not precise enough to determine whether unexpected "5"x21000000 handling is a vulnerability. Similarly, the scope of this CVE certainly does not include "string conversions that overflow the destination buffer" in the https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c3 comment. In that case, undefined behavior is the documented outcome, so we feel that there isn't a vulnerability. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVAgZmAAoJEKllVAevmvms/84H/0tjViMSuEM83gujKzVjRAB0 ulmErPQSY5BmgSux5DeLA2SQiYLEkX/0wpacjwytuHa2R6PBEWEJEj6PpRw6zUpQ /FOGwUeekpL6gmanOb8jRETDvyFXaDYqlwkRf/+UbUzEqKccRoM6lcV6asscafQL WIeo/tsz54lsXiUudHS8ZVIrCbO+BVOEKHGZ5RTlBm9cGryllf7fcnDgp6IkahHZ 2+nOAAtUq8gur0j/4HBDAoseUH+fvRkEJfC52wSrJAefV4SMF9JDrTqssnYgux1F xeQs0AZDDr2iGS5bkaxc2PZ14UcASex+mrYp6I0c7klvMcwDuWWQRZc3qTLJBPY= =RpzJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.