Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150603204201.24578B2E078@smtpvbsrv1.mitre.org>
Date: Wed,  3 Jun 2015 16:42:01 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Stack out of bounds read access in uudecode / sharutils

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> What I can say is that many very similar issues I reported in the past
> got CVEs (lately e.g. in wireshark and curl).

What makes uudecode different is that the discovery was an
out-of-bounds read, and uudecode is neither a library nor a
multiple-input program. (Wireshark is a multiple-input program in the
sense that it is commonly used for live packet capture, and must
remain running to capture packets that are sent later. Some other
programs are multiple-input programs because they maintain the state
of multiple sessions.)

In these situations (i.e., OOB-read library=no multiple-input=no),
obtaining a CVE ID currently requires a realistic scenario with a
security impact. One class of scenarios, as mentioned, is data
exfiltration. Another possible class of scenarios involves a read
operation that triggers a change to the program's control flow.

We're not sure that it would be worthwhile to try to document (in
advance) all possible combinations of product attributes and issue
categories, in order to suggest which combinations need more impact
analysis than others.

Also, we realize that some oss-security readers may be very interested
in crash reports that ultimately cannot have CVE IDs. For example,
these reports may help to suggest a specific type of code-quality
problem in a named product, and that information could be quite useful
in choosing the direction of follow-on research into exploitable
problems in that product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVb2ZDAAoJEKllVAevmvmsMpcH/0tVA9+rgQ2m+eWeubs/U3rP
NdY1ZvW0BKGy5MjFfA+rR/7BLTVwF6lsoXQctpadyuEeFtb2AwcnUAaFaVyIX+hZ
zba0Rk41R1eo2b3Iu+78AGIz7xMMxgGMtJ7AnGpaXlAmiSrFux3ObGe14CIXSvlU
PTYIWjMTIXdT9gsnfwL0M433+nwwB9eqggeL/HAmCvvk9OFI/zghiZhS0lT9ieu3
823JPxhkV27nCce2aakYacPrNj9SjXQbLm+r6uFfzVqQmiHXp9G5PMxDKEyoZ3gN
325p0DdpLujeRWedZrw6xCBg36R31bQwkSW+3KXVIY4tTiBm06wqUEVL2ob83kE=
=MmOo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.