|
Message-Id: <20161019213412.5EE6E8BC62F@smtpvmsrv1.mitre.org> Date: Wed, 19 Oct 2016 17:34:12 -0400 (EDT) From: cve-assign@...re.org To: dalias@...c.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, ville@...rikari.net Subject: Re: CVE Request - TRE & musl libc regex integer overflows in buffer size computations -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Due to incorrect use of integer types and missing overflow checks in > the tre_tnfa_run_parallel function's buffer overflow logic, the TRE > regex implementation (both original version and the one used in musl > libc) are subject to integer overflows in buffer size computation. > at least the num_states*num_tags multiplication can clearly > overflow in practice. for safety, check them all, and use the proper > type, size_t, rather than int. Use CVE-2016-8859 for this entire report. We do not see a sensible way in which the issue of an incorrect data type could be separated from the issue of unchecked multiplication. > - buf = xmalloc((unsigned)total_bytes); > + buf = calloc(total_bytes, 1); If this is a security fix, it would need a separate CVE ID. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYB+XPAAoJEHb/MwWLVhi2xZoP/RjFX9HfV8rmj6XtIvK/V8eX Nr7peF92wDUfQTnwHGbB4vpPLAeBJpR9O/T9+mxmp5hbl6EhetgugUkkcr9mn8/M 7yySbr7wCegpAzWHMm51hecozMunOB8Di0dpI/jhdMNra2N4rAFhZ+orAancZSCq IhMIHsj9uuxR7segrNyMlZRCGjLFHtro4TeaO7g84ITVQoswFfbP9yuIL1Ddhn+h s/AYfV3jqCXBOP6zWxRyZSAXT37HE/ZYVx0T/6wqrzQhX259i8dYnpRTsIvwZEJt dbuB7fAvE6CAhGJ/zOGjBF2U2oXnNmOEdyhWjOdB2TlmfpfS8IyO5tN/ki2Qn8Kt g4Lkk3+DKquMh+gcSxF8J/Xc7eKS4FOygdCSM+d5wAWr4iMDyTN0hI+zb9ypIkte CTO66jlPgFJy6QBFQSTrv2wqftOdkQhuJ2U6u/ZHI+57Xj/S2AZM8FbWU0dgAkEN xgtmF1go9v4hiK2Dln5DAyauOCq5LG1KYuddHmT/nDRxa4dMKG7nWPYH8TP+DMJM hnFo8BBSicRFBTBkBE57BwRPps31O3HQ2xD9UusXwy1/5Fa5kpFw0V8bHoUeIpDV 0Uo212/UWa449y5S/QsmoKaLG/pXQn1YEnYmNZ1ASLCUhD9eiyUMFJI1au7d25PC 15KiklfB4i7WNGH8t79S =M+Ab -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.