|
Message-ID: <55378cfd01cb465480674eec75226bf6@imshyb02.MITRE.ORG> Date: Mon, 5 Dec 2016 17:13:43 -0500 From: <cve-assign@...re.org> To: <meissner@...e.de> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: CVE Request: zlib security issues found during audit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib > https://wiki.mozilla.org/images/0/09/Zlib-report.pdf > https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit > had some findings (1 medium, 4 low) Here are 4 CVE IDs; it is not a one-to-one mapping. > Finding 1: Incompatible declarations for external linkage function deflate (Medium) > Fix: https://github.com/madler/zlib/commit/3fb251b363866417122fe54a158a1ac5a7837101 We feel that the scope of CVE should, ideally, omit unexploitable code-quality issues. The PDF report has a number of comments about Finding 1; however, one comment is "current compilers process this code without issues." A finding can be important to the practice of software development without being important for vulnerability management. For now, the answer is that there is no CVE ID. > Finding 2: Accessing a buffer of char via a pointer to unsigned int (Low) > UNRESOLVED:This issue remains under discussion There is no CVE ID. The PDF report mentions, for example, "There are several possible fixes ... Do nothing." > Finding 3: Out-of-bounds pointer arithmetic in inftrees.c (Low) > https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0 Use CVE-2016-9840. > https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb Use CVE-2016-9841. > Finding 4: Undefined left shift of negative number (Low) > Fix: https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958 Use CVE-2016-9842. > Finding 5: Big-endian out-of-bounds pointer (Low) > Fix: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811 Use CVE-2016-9843. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYReVZAAoJEHb/MwWLVhi22fMP/j6Pw7FkFDrKLjy/okWP/QoM imxWROlUse9/xACgcA+9eMiGbkm54ntx20bpEWOAUA8+H1KW+bvCrcFX3a6d1IuE vVrI0XcKQiKwVngem5XPEcvtAwFa85U4RUFZmYcqPYe7n0Yo7LoWwH9HI6/8Mziq yGIKgcPfY88FA8YM0DeSmkwQJ7WByKF4TzoChd6pK2NlwP1SFa2lMgrg4JhM9PAs 9d2ye1OkVvVV1BPnjhVFe8S0Ze8IeOy1jeKS4lUbpgIZn4WdbERQ3ORAPuhRxAdZ mn7/MbulenkQKd3vnEKmA8qK5p/h6E8jnCUCbasgAtsareZHgPmDd7NON3LmmAYG q0X8Rrk13i2h+gpGVJlT7D4Gx/n3gIEBbSKNmBIPjQmXH/sOQN/0XLls/Cock4Pm mjw3mIFLu/CQ1JNBdMQpY9zMpAHQzMX0qAfiJa0f/UfaN4k8A6uQAJWWskl48aBs xp/dz2nOVJcCwmbmkKsfied610QLC8yXwXGmh+TTPxpSXxkr0+o3r5m8S7sjkMJA Uuctv6UEKx6wqJum1G7UDcpkQVzSJOXvZ2TKzMhHirjfrUlg7Bfg31kQj0IfKicn VeLM3IBnrvl08u1Dpi9A62YSPtuQQZ+8XqcVfUB/0Wf+0uaV/Wp5as0ylPWMlpBK 9foWchAV8inhIVAMDbwQ =P6rB -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.