Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51CBC448.6010400@redhat.com>
Date: Wed, 26 Jun 2013 22:49:12 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>,
        cve-assign@...re.org, "Steven M. Christey" <coley@...re.org>
Subject: 1.2k bug reports for Debian, some may be security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://lists.debian.org/debian-devel/2013/06/msg00720.html

From: Alexandre Rebert <alexandre.rebert@...il.com>

Hi,

I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages. After contacting owner@...s.debian.org, Don Armstrong
advised us to contact you before submitting ~1.2K bug reports to the
Debian BTS using maintonly@...s.debian.org (to avoid spamming
debian-bugs-dist).

We found the bugs using Mayhem [1], an automatic bug finding system
that we've been developing in David Brumley's research lab for a
couple of years. We recently ran Mayhem on almost all ELF binaries of
Debian Wheezy (~23K binaries) [2], and it reported thousands of
crashes.
=================

I will of course be doing CVEs for these (*sob*). In order to make
this possible though I'm going to need some help in the form of good
CVE requests in this case I will be fascist. The following data will
be required:

For each package:
CVE requesters name / email (sending an email should be fine)
Official Debian Package name
Official upstream name and URL to site
Affected version in Debian

Then for each vuln:
Link to Debian bug entry
Description of vuln/type (like one sentence)
Link to code fix (mandatory)
Attack outcome (is this a security vulnerability in other words)

Or else I will get steam rolled.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRy8RIAAoJEBYNRVNeJnmTmxYQAN5ry/gbbrZdYdqKn0unw7U/
am8hjj3GnqtwnWyLTTKtujGZdck+IYdaceXsTQBfMVlX5kSktuN47URDrvD/tasw
oMFr30231JI2kTtKlaq+DrzmDEX2hwyEZX+tMrkGVY53162jKMtkiXZ1azLFDFFb
zk/GSZjKaULRXIPbgiz71PmJQqfBRyGHpAx9wfsS7mafBev5pcyk+CMYrtScnGCe
Q4H5qJGfFTvw2/LTOL45jx5wRalrOraTOYg77Ymxw7fI/czgeOkZncWj8p/VMnzh
GV2x34+XchRERS7CFYU/Mtu7vIF55FTmgIMgyYa2lNrBzl/18F2ZPwomBui3a44s
VxoTOHOmSOnbQeDyellcZmZNIo8ha0mQuHO2B0p1A7ZE0SM/au9cIkwbjLfqBap0
1zUhsu+OQQgDWEttyh30Kzk+uMVGaI3iHLd+lwYiKETl/NFWurkv1w6+uct3lyPs
7HW+sGGCIkW3gaHC/b4BSN56rZYZrKIpHUHgsu8iQZLN7ZiBi4a1H5sHY4YGAwIj
qUKft6PKQ6oXHYNtGZF/dbvjRVdjyeb6gsd7ZFIa6Ysgp/au/5ucniX2jAb+ruAE
q4Fu67PrQOcbFsFORQSVXLjcruBuJEMMW6adp3CLbnPPaBVq1Oo55muwG0i56E4S
d4AygY8ooUp+MjdF4yOU
=1ITA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.