Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160728210138.B68BC42E01D@smtpvbsrv1.mitre.org>
Date: Thu, 28 Jul 2016 17:01:38 -0400 (EDT)
From: cve-assign@...re.org
To: ago@...too.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: paps: heap overflow when processing crafted file

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> it was discovered during fuzzing that a crafted file causes an heap overflow
> in paps ( https://sourceforge.net/projects/paps/ ).

We would need someone to contribute additional risk analysis before we
would assign a CVE ID. We realize that
https://blogs.gentoo.org/ago/2016/07/28/paps-heap-based-buffer-overflow-in-read_file-paps-c/
says "It provides both a stand alone command line tool as well as a
library." The https://sourceforge.net/p/paps/code/ci/master/tree/src/
code has the library (in libpaps.c) whereas the
https://github.com/dov/paps code does not. In any case,
https://blogs.gentoo.org/ago/2016/07/28/paps-heap-based-buffer-overflow-in-read_file-paps-c/
is about a buffer under-read in the read_file function, which is only
called from main (not called from any library code). Also, the patch
is apparently only about handling empty files, not about handling any
other type of crafted file. If the user runs the command-line program
on an empty file, a "heap-buffer-overflow ... READ of size 1" occurs
when trying to read the last character of the file to determine if
it's a \n character. To avoid this impact, the user can simply stop
running paps on empty files.

Because we don't see any other risk, we are not providing a CVE ID at
this time.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXmnJYAAoJEHb/MwWLVhi2bCMP/i+FA2Xil4NRi7Qwn+2v+F11
o3Hl5Ef1Xooj3qPBCpK+Y5bUHRHhAUGD/kwe7DUx4RO96VyBAwKULSnhPz6BvZ87
8LWGqh0cY6p8+kCZE8yFiSgwOi9MwHz4RMkjsYtsWlVVBtBsqakf7hZ2FZ5x3rRi
xcjy6AEWpuhFDqFVXzaZm+BaNyn5ZwxuodxM7KPKkp0NM3hWn4Rp+vL2K/d/GI3a
AvKLOEVZAbJpfXSt5Po86mX0n0Cn5gMFGmCumxsvZoygZLsASgE6F9pPWsg9wOrh
GwCwL4S2Zk56x9w9j7RK1lX8jwkTW7tqw8YqUePihUDrhkbKhWG7DtOW+7WKi2yP
MOAl23ODkf71WT9LC7gxtOHSKhN14rr26VpawhLI4YEMXHIcJFTqBaprVUPLcbAb
m+bR2hFqXmSpYj4CcjIzFp6WvlpTKRJPQWb6+cZtOJmqCpyuG23Uf3tjYqyktYSV
HXTdmU1s5vmaUGzjh/5OOLXs8CprrmwWTMWvR7x48D+ZW+P+0XVOZ9Hr6NmoJhfp
XQjUUhLwcNy9RAeiX9wp5o73XoGi+AtkXR9ZvZGjQmsK+e5h52IMZi8eMCqUHkMw
rlYSQ3eynlNbQEcbi19m2XS40mfyApkIiqylbTDD2WZ6JgqcfUOUAHoAo6DwVeFt
YhpgVbqRajNuWJco7FBh
=Q5EF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.