Date: Tue, 3 Nov 2015 16:00:46 -0500 (EST) From: cve-assign@...re.org To: dalias@...c.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, gustavo.grieco@...il.com Subject: Re: Pointer misuse unziping files with busybox -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> > http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e >> >> > Unziping a specially crafted zip file results in a computation of an invalid >> > pointer and a crash reading an invalid address. >> BusyBox wouldn't realistically be >> used for deployment of a program that remains running to offer an >> unzipping service to multiple clients. > There are several distributions including Alpine Linux, widely used in > container environments, which by default use busybox to provide the > unzip utility. Unzipping of any files downloaded by the user, possibly > from untrusted sources, may be affected. I believe CVE is appropriate > for user-facing programs commonly used to open untrusted files even > without an automated process accepting and processing > potentially-malicious files from a client. We'll try to add some information about what we're looking for. 1. If the product were a library that decompresses untrusted files, then the existence of a crash would be enough to assign a CVE ID. The rationale is that a library might have been used to develop a program that needs to remain running even after one bad file is encountered. 2. Many products that aren't libraries have no need to remain running after a bad file is encountered. If the only possible problem is "a crash reading an invalid address" and there is no way to write to an invalid address or change the flow of control, then there typically can't be a CVE ID. Typically, a simple and complete workaround for the crash problem is to not try to unzip the bad file again. > From: Gustavo Grieco <gustavo.grieco@...il.com> > Date: Fri, 30 Oct 2015 09:38:47 -0300 >> Could you please comment directly about the likelihood of >> exploitability for code execution? > To be honest, i don't know. The patched code looks quite complex and i > cannot discard any potential arbitrary write there. We currently prefer not to assign CVE IDs when the available information is "a crash reading an invalid address" in combination with "cannot discard any potential arbitrary write." - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWOR/wAAoJEL54rhJi8gl5Y/MQAMu/aVQBoFhPCvqyvrG0ABiz K6kfDNA+d9mus1GqKju007FM7l3YEjvVfBTP/yQy1xfwBlWtgJHPK4Xc5/VDNo2z lqop/O85DB+dV2sswcR8C7lqplLwCS5RocT5nyi8wF2YadAFgWk/WZVX9dgpWQF7 wODx8HBTH2aLVOoNTGNZY4srRFACMFi6jycvrBZkbDfOvxeYU6sKZDU+ZxA8zU8X ULsDr6xqS+XRQBu2JExX6WyTQHRcS90Errti5k0GhghbPrcTB2eXGpDOFQ+AScAi KSbx7zV9ngBHNXPNuXoQ1WAeUUD5L1P69zMfy8asxBdLOQWTK0PrZNMKPxwbOD9R UqzbeztiBJ9uS6fnKGWeTyLH3+5vtvBSB+UA3NSaIayAN2GXJfGaKHLYeEDovAUr kuaN8gvya/y5cce0NtvUcz/Z5BiJEfE2CEaY24f/FJ8ZqXKEjEO0sIG6nNMUH8Zy 8d3HSsigsLesGpLdUFpD4kLxUjyMYkUew0CXVZ6STHX1wpcRUUksot9KocHybFXw KKoPSbMi27C2tgYIrFdJn4wHIU4hJFgqDQh1QjVRcq1H+6aNcdwxbLb+WQBSA0ze bzXG0r5Q0NW4AqFW/jaU29ACcylqnVsPilbbQ6hG/n5l4+gkAT0su7x75k+NPaI0 ezjjs0eDQnlnp00K7930 =xHYl -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.