|
Message-Id: <20140915152812.40B77336003@smtpvbsrv1.mitre.org> Date: Mon, 15 Sep 2014 11:28:12 -0400 (EDT) From: cve-assign@...re.org To: kristian.fiskerstrand@...ptuouscapital.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE assignment for c-icap Server -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://sourceforge.net/p/c-icap/bugs/59/ > i found the bug in the parse_request() function. > Please see the details in the attachment. > <Peter Berestov> pberestov@...il.com > If a buffer doesn't contain " " or "?" then the *end pointer will increase > The pointer can leave the area of memory allocated for the buffer. Use CVE-2013-7401 for this specific issue discovered by Peter Berestov. > chtsanti 2013-10-02 > > This bug and many other related fixed in trunk with patches: > r1018 and r1021. > > http://sourceforge.net/p/c-icap/code/1018/ > > Fix multiple problems on parsing ICAP requests. In many cases the c-icap may > crash if not found a normal ICAP request. Use CVE-2013-7402 for the chtsanti discoveries, i.e., the other issues in the pre-r1018 code that made a remote crash possible. This might, for example, include attack vectors with invalid method names. There is no CVE ID for the http://sourceforge.net/p/c-icap/code/1021 issue. This seems to be a usability problem that was introduced by the first version of the security fixes. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUFwT6AAoJEKllVAevmvmsIoEH/AnEdl+oKCBmSfWw/ixQonyY pKmh4HF1OTh3AsC1tJ88hbDasvr3ZpvPcmPbFtLoRkB5IgFBrCfiAWMAbp3h3gp8 HyCaaz/im7D+gJuDDf1fxCyCqt8pG+Haffk0QGMAVnmbkCyk4NWMt20OXXj/lV/k G0sXNLwl3J4f/BdjzcjMISZzq1qYq785epzyDycNKynpYA7z3e1fjesJyZ/wB2T5 O9bkjXRuhmjzbSTxYLAwXURVl4c7BWqJJASPq84UDg+R/pW5y3/OUMRrGJ2t79Rp bAPDDp3mo47PutGcbKTJsZqg2Lu/UJmxvxk+ximP5VeB4MqFcwZv0tVi4byxPx8= =WCEN -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.