Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Oct 2016 17:34:12 -0400 (EDT)
From: cve-assign@...re.org
To: dalias@...c.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, ville@...rikari.net
Subject: Re: CVE Request - TRE & musl libc regex integer overflows in buffer size computations

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Due to incorrect use of integer types and missing overflow checks in
> the tre_tnfa_run_parallel function's buffer overflow logic, the TRE
> regex implementation (both original version and the one used in musl
> libc) are subject to integer overflows in buffer size computation.

> at least the num_states*num_tags multiplication can clearly
> overflow in practice. for safety, check them all, and use the proper
> type, size_t, rather than int.

Use CVE-2016-8859 for this entire report. We do not see a sensible way
in which the issue of an incorrect data type could be separated from
the issue of unchecked multiplication.


> -    buf = xmalloc((unsigned)total_bytes);
> +    buf = calloc(total_bytes, 1);

If this is a security fix, it would need a separate CVE ID.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYB+XPAAoJEHb/MwWLVhi2xZoP/RjFX9HfV8rmj6XtIvK/V8eX
Nr7peF92wDUfQTnwHGbB4vpPLAeBJpR9O/T9+mxmp5hbl6EhetgugUkkcr9mn8/M
7yySbr7wCegpAzWHMm51hecozMunOB8Di0dpI/jhdMNra2N4rAFhZ+orAancZSCq
IhMIHsj9uuxR7segrNyMlZRCGjLFHtro4TeaO7g84ITVQoswFfbP9yuIL1Ddhn+h
s/AYfV3jqCXBOP6zWxRyZSAXT37HE/ZYVx0T/6wqrzQhX259i8dYnpRTsIvwZEJt
dbuB7fAvE6CAhGJ/zOGjBF2U2oXnNmOEdyhWjOdB2TlmfpfS8IyO5tN/ki2Qn8Kt
g4Lkk3+DKquMh+gcSxF8J/Xc7eKS4FOygdCSM+d5wAWr4iMDyTN0hI+zb9ypIkte
CTO66jlPgFJy6QBFQSTrv2wqftOdkQhuJ2U6u/ZHI+57Xj/S2AZM8FbWU0dgAkEN
xgtmF1go9v4hiK2Dln5DAyauOCq5LG1KYuddHmT/nDRxa4dMKG7nWPYH8TP+DMJM
hnFo8BBSicRFBTBkBE57BwRPps31O3HQ2xD9UusXwy1/5Fa5kpFw0V8bHoUeIpDV
0Uo212/UWa449y5S/QsmoKaLG/pXQn1YEnYmNZ1ASLCUhD9eiyUMFJI1au7d25PC
15KiklfB4i7WNGH8t79S
=M+Ab
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.