Date: Thu, 5 May 2016 01:02:22 -0400 (EDT) From: cve-assign@...re.org To: boehme.marcel@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, bschmidt@...hat.com, florian@...h-krohm.de, nickc@...hat.com Subject: Re: CVE Request: No Demangling During Analysis of Untrusted Binaries -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > 1) Exploitable Buffer Overflow (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 As far as we can tell, you sent a CVE request for this vulnerability to cve-assign@...re.org (from a different email address of yours) on 2016-02-05, and we replied with a CVE ID on 2016-02-06. Is there an additional aspect of 69687 that you are reporting now? Our reply at that time was: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 >> Since n is a signed int, n wraps over at some iteration. Since, >> realloc expects n to be unsigned, we end up allocating less memory >> then actually needed. In the beginning though n is too large and >> xrealloc simply complains. However, if you play a bit with the length >> of arg, you'll quickly turn that integer overflow in a buffer >> overflow. Use CVE-2016-2226 for this incorrect handling of a signed int. > 2) Invalid Write due to a Use-After-Free (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 Comment 2 says "two distinct bugs." Use CVE-2016-4487 for the btypevec bug. Use CVE-2016-4488 for the ktypevec bug. > 3) Invalid Write due to Integer Overflow (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492 Use CVE-2016-4489. > 4) Write Access Violation (Fixed in GCC trunk) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498 Use CVE-2016-4490 for this issue described as "Root cause: In cp-demangle.c sometimes length-variables are of type long ... Other times they are of type int." Note that this CVE ID is not about the Comment 1 "case where consume_count returns -1" -- that comment does not belong in 70498 at all. > 5) Various Stack Corruptions (Patch under Review) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909 > https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00105 Use CVE-2016-4491 for this issue caused by a lack of checking for "has itself as ancestor more than once." > 6) Write Access Violation (Patch under Review) > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 > https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00223 Use CVE-2016-4492 for both of the "first read the value of a length variable len from the mangled string, then strncpy len characters from the mangled string; more than necessary" issues. Use CVE-2016-4493 for both of the "read the value of an array index n from the mangled string, which can be negative due to an overflow" issues. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXKtL3AAoJEHb/MwWLVhi2+5gP/3qHIH8ngHS85trkFRrAiLtn 5nNVzyil6xjQCo7F7ScLfYQK0AfKGhBhQzO16dAI2hHMIRc8AaXH4cinRHHHQrYM hrwj5SoZoXMgrUZLZJ2v1H0oidBwMFUqprnC1NEgqNMoRw6DM0NZTsy4opgKCl1R dbSfqBybZr+qscnn4wAaN2ctOS0A2/PlSIxDJ5LRPEJyb+fLNVVnbj5LIybjD/To uPpQPkGKekK3oD52huRlb5hLy9qq3eVzoyu0Lup34ec0iRnLQjqwmYm8dZvbhPnt QMgZPe0iyRaQAtpE5nj7eZDhFuQ9vqS1KikzuinZRUkLcIGroGmnUtGdCCDUHzL1 s12c6fpGkU2Huuz9mgVrdtOKdcSyFnvEl14xMCQLBhf8LVNKQ9RkVaHPUWLt+0uw /BtwNCs6NSAGtfi0yuX4F76u3SGKTnell7Za9BJQKXZFeDtwTUc9N01eWGpovB1l um6HQ75vca6+kxlX6ZZn9Zm7Dr1CNtcCLfKka9MtxmfkaucV5vOjlqURA58jrpdS NJU5TgRr2WcFqI/3gfOzQFkz1R1voZMgQJEKNIRtLC04nLWxXwoRAGQ9oJK34y0Z BVoWD9jDc3lEXx+X5MOmUZy4+RQQl0qizLquLxqTXbRUBpgsFP0Mw/w7dWCkghCA kazRhIrShTety5Dx7/qO =Qvdr -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.