Date: Wed, 12 Apr 2017 15:00:45 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: CVE-2017-7592: libtiff: left shift On Mon, 10 Apr 2017 08:29:31 +0100 Simon McVittie <smcv@...ian.org> wrote: > This is a bug, but how is it a security vulnerability? Can an attacker > exploit it for DoS or code execution or something with a malformed > TIFF image? Quesitons like this come up quite often. Maybe we need a final definite answer to them all :-) The reasoning is roughly: It's undefined behavior, so the compiler can do whatever it wants. So all undefined behavior should be considered security relevant, because the compiler can always do something that will turn it into a vuln. Whether you agree to this or not, it's definitely good secure coding practice to avoid undefined behavior. People have different ideas of what to call a vuln and what not. CVE-assigners have lately taken a very wide approach of declaring many things as cve-worthy. Just accept that not every CVE means "it's definitely exploitable". -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.