|
Message-Id: <20150329062148.7E31113A8B6@smtpvmsrv1.mitre.org> Date: Sun, 29 Mar 2015 02:21:48 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: arj: free on invalid pointer due to to buffer overflow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Jakub Wilk reported arj crashing on a ARJ file in [1]. Guillem Jover > pointed out that the invalid pointer is due to a buffer overflow write > access initiated by a value which is under user control, see [2]. He > prepared as well a patch for this issue[3]. Could assign a CVE for > this issue? > > [1] https://bugs.debian.org/774015 > [2] https://bugs.debian.org/774015#11 > [3] http://git.hadrons.org/gitweb/?p=debian/pkgs/arj.git;a=blob_plain;f=debian/patches/security-afl.patch For purposes of determining the number of CVE IDs, https://bugs.debian.org/774015#11 is considered a 2015 vulnerability announcement, and https://bugs.debian.org/774015#3 is not considered a vulnerability announcement at all. (There was another conceivable interpretation in which part of security-afl.patch fixed an issue discovered by Jakub Wilk in 2014, and another part of security-afl.patch fixed a second similar issue discovered by Guillem Jover in 2015, with two CVEs. We aren't doing that here.) Use CVE-2015-2782. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVF5mQAAoJEKllVAevmvmsTmEH/ReeQDQTDs+tTkIjaKluhuwV 0U2+fpmNTkKfkr2Gf8CWaQ891Topc/c+dIEMVmuIJuWMJVdYfJ3V8ifB0n4U8srO Jd4TYqgsWP4xoPBmQtEev5bxPk00/yhnlFv6xUF8Sic2iloLbzEKG+vnBaMCuvxr uUSu5/xOCPZhxwJAYww0FzS1ZrV4D12iDLtEobfpPq9EEdrQdgMa6n/luX7Lrowe tDiJTT2vG8I0ITIi5E7itAFTYqcjmWgQ8pt4qqYEeMdgDCsoTEwJz8k8U+JnrjQC CEVixkXwkY8xxvNzlQE1zArRM6869qWVzCDT2tiTcoMXcPYuDQwAG6VUBGp+XEQ= =+r+1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.