Date: Fri, 05 Feb 2016 15:32:29 -0500 From: anarcat <anarcat@...ngeseeds.org> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: tiff: Out-of-bounds write for invalid images using LogL compression So from what I understand, this issue is only related to the *sample* code in php-openid, correct? You also report that this code is in "use verbatim" in "the vast majority of sites", yet looking at the Debian code base, the only samples of that code I could find are in php-openid itself and the SAML library: https://codesearch.debian.net/search?perpkg=1&q=getTrustRoot (jglobus seems to be a false positive there) I have reviewed the usage of the openid.realm field in the Debian source code and, in general, it doesn't seem to use the `Host:` header: https://codesearch.debian.net/search?perpkg=1&q=openid.realm Furthermore, I am not sure the attack works even on the theoritical level: how would the user reach the proper website if the Host header is changed? A. -- Never attribute to malice that which can be adequately explained by stupidity, but don't rule out malice. - Albert Einstein
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.