Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue,  3 Nov 2015 16:00:46 -0500 (EST)
From: cve-assign@...re.org
To: dalias@...c.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, gustavo.grieco@...il.com
Subject: Re: Pointer misuse unziping files with busybox

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> > http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e
>>
>> > Unziping a specially crafted zip file results in a computation of an invalid
>> > pointer and a crash reading an invalid address.

>> BusyBox wouldn't realistically be
>> used for deployment of a program that remains running to offer an
>> unzipping service to multiple clients.

> There are several distributions including Alpine Linux, widely used in
> container environments, which by default use busybox to provide the
> unzip utility. Unzipping of any files downloaded by the user, possibly
> from untrusted sources, may be affected. I believe CVE is appropriate
> for user-facing programs commonly used to open untrusted files even
> without an automated process accepting and processing
> potentially-malicious files from a client.

We'll try to add some information about what we're looking for.

1. If the product were a library that decompresses untrusted files,
then the existence of a crash would be enough to assign a CVE ID. The
rationale is that a library might have been used to develop a program
that needs to remain running even after one bad file is encountered.

2. Many products that aren't libraries have no need to remain running
after a bad file is encountered. If the only possible problem is "a
crash reading an invalid address" and there is no way to write to an
invalid address or change the flow of control, then there typically
can't be a CVE ID. Typically, a simple and complete workaround for the
crash problem is to not try to unzip the bad file again.

> From: Gustavo Grieco <gustavo.grieco@...il.com>
> Date: Fri, 30 Oct 2015 09:38:47 -0300

>> Could you please comment directly about the likelihood of
>> exploitability for code execution?

> To be honest, i don't know. The patched code looks quite complex and i
> cannot discard any potential arbitrary write there.

We currently prefer not to assign CVE IDs when the available
information is "a crash reading an invalid address" in combination
with "cannot discard any potential arbitrary write."

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWOR/wAAoJEL54rhJi8gl5Y/MQAMu/aVQBoFhPCvqyvrG0ABiz
K6kfDNA+d9mus1GqKju007FM7l3YEjvVfBTP/yQy1xfwBlWtgJHPK4Xc5/VDNo2z
lqop/O85DB+dV2sswcR8C7lqplLwCS5RocT5nyi8wF2YadAFgWk/WZVX9dgpWQF7
wODx8HBTH2aLVOoNTGNZY4srRFACMFi6jycvrBZkbDfOvxeYU6sKZDU+ZxA8zU8X
ULsDr6xqS+XRQBu2JExX6WyTQHRcS90Errti5k0GhghbPrcTB2eXGpDOFQ+AScAi
KSbx7zV9ngBHNXPNuXoQ1WAeUUD5L1P69zMfy8asxBdLOQWTK0PrZNMKPxwbOD9R
UqzbeztiBJ9uS6fnKGWeTyLH3+5vtvBSB+UA3NSaIayAN2GXJfGaKHLYeEDovAUr
kuaN8gvya/y5cce0NtvUcz/Z5BiJEfE2CEaY24f/FJ8ZqXKEjEO0sIG6nNMUH8Zy
8d3HSsigsLesGpLdUFpD4kLxUjyMYkUew0CXVZ6STHX1wpcRUUksot9KocHybFXw
KKoPSbMi27C2tgYIrFdJn4wHIU4hJFgqDQh1QjVRcq1H+6aNcdwxbLb+WQBSA0ze
bzXG0r5Q0NW4AqFW/jaU29ACcylqnVsPilbbQ6hG/n5l4+gkAT0su7x75k+NPaI0
ezjjs0eDQnlnp00K7930
=xHYl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.