Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Feb 2018 21:24:10 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Information on file, sqlite, libarchive, pcre issues for CVE IDs
 assigned by Apple?

Hi,
Apple has assigned a few CVE IDs for open source components not engineered at Apple:

https://support.apple.com/en-us/HT208144 refers to

file
  Available for: OS X Mountain Lion 10.8 and later
  Impact: Multiple issues in file
  Description: Multiple issues were addressed by updating to version 5.30.
  CVE-2017-7121: found by OSS-Fuzz
  CVE-2017-7122: found by OSS-Fuzz
  CVE-2017-7123: found by OSS-Fuzz
  CVE-2017-7124: found by OSS-Fuzz
  CVE-2017-7125: found by OSS-Fuzz
  CVE-2017-7126: found by OSS-Fuzz

SQLite
  Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  Impact: Multiple issues in SQLite
  Description: Multiple issues were addressed by updating to version 3.19.3.
  CVE-2017-10989: found by OSS-Fuzz
  CVE-2017-7128: found by OSS-Fuzz
  CVE-2017-7129: found by OSS-Fuzz
  CVE-2017-7130: found by OSS-Fuzz

SQLite
  Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  Impact: An application may be able to execute arbitrary code with system privileges
  Description: A memory corruption issue was addressed with improved memory handling.
  CVE-2017-7127: an anonymous researcher

https://support.apple.com/en-us/HT208221 refers to:

libarchive
  Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6
  Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
  Description: Multiple memory corruption issues existed in libarchive. These issues were addressed through improved input validation.
  CVE-2017-13812: found by OSS-Fuzz

libarchive
  Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6
  Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
  Description: A buffer overflow issue was addressed through improved memory handling.
  CVE-2017-13813: found by OSS-Fuzz
  CVE-2017-13816: found by OSS-Fuzz

file
  Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6
  Impact: Multiple issues in file
  Description: Multiple issues were addressed by updating to version 5.31.
  CVE-2017-13815

PCRE
  Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6
  Impact: Multiple issues in pcre
  Description: Multiple issues were addressed by updating to version 8.40.
  CVE-2017-13846

Of the IDs mentioned above, only CVE-2017-10989 refers to specific, identifiable information.
Does anyone on the list have additional information on any of these bugs; allowing to map them
to upstream bug reports/patches?

Why does the Apple CNA have a mandate to assign CVE IDs to generic FLOSS components not
written by Apple to begin with? Especially if they're not participating in standard open source
security information sharing practices.

Cheers,
        Moritz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.