Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150312213758.C6F7972E115@smtpvbsrv1.mitre.org>
Date: Thu, 12 Mar 2015 17:37:58 -0400 (EDT)
From: cve-assign@...re.org
To: fweimer@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: glibc scanf implementation crashes on certain inputs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://sourceware.org/bugzilla/show_bug.cgi?id=13138
> 
> causes scanf and related functions to crash when processing certain
> inputs. This happens with the numeric conversions (%d, %f and others),
> and includes valid numbers (ISO C allows crashes or worse on invalid
> inputs, but glibc is buggy even by this standard).
>
> The first glibc version which received the fix for this bug is 2.15.

Use CVE-2011-5320 for the
https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c4 issue, i.e.,
the "huge string of zeros" attack vector.

The scope of this CVE does not include the original "5"x21000000 input
string for a %i argument. As far as we can tell, Bug 13138 doesn't
resolve the question of whether a crash is a permitted behavior for
that input. It seems that the relevant standards perhaps should have
specified that that results in an ERANGE error without a crash, but
the published wordings are not precise enough to determine whether
unexpected "5"x21000000 handling is a vulnerability.

Similarly, the scope of this CVE certainly does not include "string
conversions that overflow the destination buffer" in the
https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c3 comment. In
that case, undefined behavior is the documented outcome, so we feel
that there isn't a vulnerability.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVAgZmAAoJEKllVAevmvms/84H/0tjViMSuEM83gujKzVjRAB0
ulmErPQSY5BmgSux5DeLA2SQiYLEkX/0wpacjwytuHa2R6PBEWEJEj6PpRw6zUpQ
/FOGwUeekpL6gmanOb8jRETDvyFXaDYqlwkRf/+UbUzEqKccRoM6lcV6asscafQL
WIeo/tsz54lsXiUudHS8ZVIrCbO+BVOEKHGZ5RTlBm9cGryllf7fcnDgp6IkahHZ
2+nOAAtUq8gur0j/4HBDAoseUH+fvRkEJfC52wSrJAefV4SMF9JDrTqssnYgux1F
xeQs0AZDDr2iGS5bkaxc2PZ14UcASex+mrYp6I0c7klvMcwDuWWQRZc3qTLJBPY=
=RpzJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.