Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 19 May 2016 12:17:11 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request: null pointer deref in openslp,
 can be triggered remotely

On 05/18/2016 09:55 PM, cve-assign@...re.org wrote:

> The oss-security message and the rhbz document seem to describe the
> impact in different ways, i.e., "Basically return value from malloc
> isn't checked ... This can be triggered remotely by sending a large
> number of requests, which could possibly lead malloc to fail at one
> point, causing crash via null pointer deref" versus "A remote attacker
> could potentially deplete the memory of the server." For purposes of
> CVE, this type of scenario is often not interpreted as two independent
> problems. Roughly speaking, it is interpreted as "The unchecked malloc
> return value is the primary problem. This problem becomes reachable
> for reasons that aren't fully described, but those reasons might
> involve a design limitation in which the memory consumption of
> requests is not strictly controlled."
> 
I fixed the description in the bug. The problem basically is unchecked
return value from malloc inside the realloc function. So when "crafted"
packets are sent to the server, realloc is triggered to extend the size
of the data structure which holds the network data. Under memory
pressure malloc could fail, which will trigger a null pointer deref.



> Finally, although perhaps not related to the issue of whether a CVE ID
> should exist, that Security.html page says "If you find a security
> hole in OpenSLP, please bring it to the attention of the OpenSLP
> maintainer" and names John Calcote. Possibly Red Hat could do this
> upstream notification if that hasn't already happened.
> 


Yes, we will inform upstream


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.