Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20170412150045.2ce45082@pc1>
Date: Wed, 12 Apr 2017 15:00:45 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-7592: libtiff: left shift

On Mon, 10 Apr 2017 08:29:31 +0100
Simon McVittie <smcv@...ian.org> wrote:

> This is a bug, but how is it a security vulnerability? Can an attacker
> exploit it for DoS or code execution or something with a malformed
> TIFF image?

Quesitons like this come up quite often. Maybe we need a final definite
answer to them all :-)

The reasoning is roughly: It's undefined behavior, so the compiler can
do whatever it wants. So all undefined behavior should be considered
security relevant, because the compiler can always do something that
will turn it into a vuln.
Whether you agree to this or not, it's definitely good secure coding
practice to avoid undefined behavior. People have different ideas of
what to call a vuln and what not. CVE-assigners have lately taken a
very wide approach of declaring many things as cve-worthy. Just accept
that not every CVE means "it's definitely exploitable".

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.