Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180228202410.GA822@inutil.org>
Date: Wed, 28 Feb 2018 21:24:10 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Information on file, sqlite, libarchive, pcre issues for CVE IDs
 assigned by Apple?

Hi,
Apple has assigned a few CVE IDs for open source components not engineered at Apple:

https://support.apple.com/en-us/HT208144 refers to

file
  Available for: OS X Mountain Lion 10.8 and later
  Impact: Multiple issues in file
  Description: Multiple issues were addressed by updating to version 5.30.
  CVE-2017-7121: found by OSS-Fuzz
  CVE-2017-7122: found by OSS-Fuzz
  CVE-2017-7123: found by OSS-Fuzz
  CVE-2017-7124: found by OSS-Fuzz
  CVE-2017-7125: found by OSS-Fuzz
  CVE-2017-7126: found by OSS-Fuzz

SQLite
  Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  Impact: Multiple issues in SQLite
  Description: Multiple issues were addressed by updating to version 3.19.3.
  CVE-2017-10989: found by OSS-Fuzz
  CVE-2017-7128: found by OSS-Fuzz
  CVE-2017-7129: found by OSS-Fuzz
  CVE-2017-7130: found by OSS-Fuzz

SQLite
  Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  Impact: An application may be able to execute arbitrary code with system privileges
  Description: A memory corruption issue was addressed with improved memory handling.
  CVE-2017-7127: an anonymous researcher

https://support.apple.com/en-us/HT208221 refers to:

libarchive
  Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6
  Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
  Description: Multiple memory corruption issues existed in libarchive. These issues were addressed through improved input validation.
  CVE-2017-13812: found by OSS-Fuzz

libarchive
  Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6
  Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
  Description: A buffer overflow issue was addressed through improved memory handling.
  CVE-2017-13813: found by OSS-Fuzz
  CVE-2017-13816: found by OSS-Fuzz

file
  Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6
  Impact: Multiple issues in file
  Description: Multiple issues were addressed by updating to version 5.31.
  CVE-2017-13815

PCRE
  Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6
  Impact: Multiple issues in pcre
  Description: Multiple issues were addressed by updating to version 8.40.
  CVE-2017-13846

Of the IDs mentioned above, only CVE-2017-10989 refers to specific, identifiable information.
Does anyone on the list have additional information on any of these bugs; allowing to map them
to upstream bug reports/patches?

Why does the Apple CNA have a mandate to assign CVE IDs to generic FLOSS components not
written by Apple to begin with? Especially if they're not participating in standard open source
security information sharing practices.

Cheers,
        Moritz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.