Date: Thu, 20 Oct 2016 12:27:15 -0400 (EDT) From: cve-assign@...re.org To: scott.tenaglia@...incea.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request - Portable UPnP SDK 1.6.19 through 1.8.x -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://sourceforge.net/p/pupnp/bugs/133/ > parse_uri( &out->URLs[i + 1], URLS->size - i + 1, > &out->parsedURLs[URLcount] ) This seems to be a CWE-372 ("Incomplete Internal State Distinction") issue in which the code expected to be in a state where it was operating on a set of validated URIs from a CALLBACK header, but actually was in a state where it was operating on a set of all URIs from a CALLBACK header. A validation step occurs for every URI, and the amount of memory allocated is correct for the set of validated URIs, but there is simply no data model for the set of validated URIs. (Conceivably, the set of validated URIs could be in its own array, or each URI in the original array could have a flag indicating whether it was valid.) Use CVE-2016-8863. As mentioned, this has a resultant heap buffer overflow. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYCO/sAAoJEHb/MwWLVhi2WxMP/iE4erxSoRjKIE42RHEoeGq2 UDy+y+B9Sf/xK0zWtZGB06Mmkli+v7SLKOkWK7oWHJ4tQa4NXCvKbzwfLbyX3jDZ Ul7IE42LFCti/bJqb1qQwqjM/LzMtOSloofBI5pMocYkBKnjaLq1PwRGDTKzyVEN 7Hs8LhzkUsqDdr4z5bk1NhDNhBHDg+4pIJ91rFrqkL06bWIsUAnfUJmWE7wWGWGp XePAkR+yOkvOpsgdWPFmaUNU3t7iPkRhw/P24O8QG+So39z5DVts4IHYoOQHmIa5 OtNKauWUxLMIOkUneZbWEazLrrglKGoG0VJzqXpNDAXciRPd6DNQ3GueJjthBkoG LrfsoTdUrpGA+q33DipHxg2Aj+OaN/LUQ1n+mYE09k3Iy+4OHN7xZ9VWUWirYkDL /JODFta8VX3BsMGFjUwNsICaxJm/kARxY72A7mKvJsEZ6Jow4seIIgzmFiBPqzPC ErcnxLIvbJOiy9jw0hP3qGH5I/5N1h+7ViUqS97mOy4MySgVs1kKtU+ZVpL4h1PK 7smULHLCAKKLqpJS8smcd08ZmetYtB4s3ccPM0Yn7vQKRI92mCRgTpJh5IhqSmiZ IoesKUf10Ml+xx/DR5WEEZ4ACHn+Q7nUzMhobzHWQbG0NdXzUWXdWZQdkmS2NBfH 1shVmylDTkJ5tLBQwHmM =WKq1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.