Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150403172223.GA5593@shiftout.net>
Date: Fri, 3 Apr 2015 18:22:23 +0100
From: "Iain R. Learmonth" <irl@...e.org>
To: oss-security@...ts.openwall.com
Subject: Request CVE for LinuxNode - DoS vulnerability

Hi,

I'm a member of the Debian Hamradio Maintainer's team and a
denial-of-service bug has been reported on our package ax25-node. (Debian
bug: https://bugs.debian.org/777013) I would like to request a CVE for this
vulnerability.

The software in this package is identified as LinuxNode in the README
contained in the source package. The author is identified as Tomi Manninen
OH2BNS, <tomi.manninen@....fi> although attempts have been made to contact
the author and have been unsuccessful, as mentioned in the Debian bug
report.

https://sources.debian.net/src/node/0.3.2-7.4/README/

From the bug report:

"The SIGQUIT routine fails to close the app leaving the IP sockets open and
in some cases DDOS the remote site if a user "ctrl-]+q" out of a telnet
session.  Also the app fails to close and more can be spawned by a crafty
malicious user thus bringing the system to a point of no memory available."

Brian N1URO on the bug report maintains a replacement node package and I am
confident that his report is accurate. He found this vulnerability in 2005,
but due to an unresponsive upstream this got lost. This is the first request
for a CVE for this vulnerability.

This appears to be an issue affecting multiple versions, although I can only
say that it is present in 0.3.2.

I am happy to provide more information if needed and I can be contacted at:

  irl@...e.org

Thanks,
Iain.

-- 
e: irl@...e.org            w: iain.learmonth.me
x: irl@...ber.fsfe.org     t: EPVPN 2105
c: 2M0STB                  g: IO87we
p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.