Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 Aug 2016 20:18:41 -0400 (EDT)
From: cve-assign@...re.org
To: rs@...skills.cz
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Requests Facebook HHVM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> -Fix out of bounds write access in
> mb_detect_encoding, mb_send_mail, mb_detect_order.
> https://github.com/facebook/hhvm/commit/365abe807cab2d60dc9ec307292a06181f77a9c2

Use CVE-2016-6870. The scope of this CVE is all of the incorrect uses
of strndup that were fixed in this commit. The commit message
references t11337047, which possibly is a bug that was discovered much
earlier. However, because we don't know of any earlier public
disclosure of t11337047, there isn't a separate CVE ID for t11337047.


> -Fix buffer overrun due to integer overflow in bcmath
> https://github.com/facebook/hhvm/commit/c00fc9d3003eb06226b58b6a48555f1456ee2475

Use CVE-2016-6871.


> -Fix integer overflow in StringUtil::implode
> https://github.com/facebook/hhvm/commit/2c9a8fcc73a151608634d3e712973d192027c271

Use CVE-2016-6872.


> -Fix self recursion in compact
> https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e

Use CVE-2016-6873.


> -Fix recursion checks in array_*_recursive
> https://github.com/facebook/hhvm/commit/05e706d98f748f609b19d8697e490eaab5007d69

Use CVE-2016-6874.


> -Fix infinite recursion in wddx
> https://github.com/facebook/hhvm/commit/1888810e77b446a79a7674784d5f139fcfa605e2

Use CVE-2016-6875.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXtk/uAAoJEHb/MwWLVhi2OFwP/Aig7rJ2rCVEyv+/KwDJBC+a
ufukAbNgsFbzHChTJxntRrWS3PJt7DKkZ4a2wlPzdUd4rQKGFObmMMm4OIWw2xaj
TiBngAelDRJNDNP/ZmkEySj9RGS33UMg+6QnI5pOFI3r7uXIqBau+cjIyq3diqUC
NFlaiFy2TcIb82bYRET3r4SIk8019uaP2rfN5CDLKuNPpYIM3d/Xo0490MwufTHh
QyTiFtFDwsZdtCQz5wFR949Lt+B6rEFdhzYDaqjJr9We6POxvy799/8LUI2UGtwN
P6UiCzS1o/ybx6QCh+Lx7wDNBuT/3t0aeFhWx1FJuFodtF9yiILMxD4BpaARlnva
4Nv/+TNhCmcGGLyE3wCrcAVeCX/QcsAaM9fXYVGy2SuqRmljW7sQIhpkaCIzQCwq
EEGCZMeqPBZ1pMlIJgKmWa0PvKfkv0nDtNhQqNN57hS3YcePE8rShO7+/HYRQaYL
zMe8u6OWVZr432Iwcia1Zjxnmi6ix1g3Ua8gz8oWAGrvw5/6T0gEzRyz+OB79+y+
3OKeE/GDQA/aVRutZciQrrHT30uzkgwtoAQdafur5Cna0cEqRQnclcwFxUfPdpr4
qJJFWH2vmPncge0xx2auUaDv8+7OBOonUvlmEWIfowSdg66D0Qm6EyqN6UNZqm5a
tVSy0zt3nnIATS36SGDd
=tBiw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.