Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20141026220501.33E638BC018@smtpvmsrv1.mitre.org>
Date: Sun, 26 Oct 2014 18:05:01 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: strings / libbfd crasher

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html

First, here are the two current CVE assignments for libbfd in GNU
binutils. More CVE assignments may occur later (in particular, see
below about versados.c). Affected programs apparently include strings
(on some but not all platforms) as well as objdump and nm. The readelf
program is not affected.

CVE-2014-8484 is for the incorrect decrements in cases of S-records
that are too short. References are:

  https://sourceware.org/bugzilla/show_bug.cgi?id=17509
  http://openwall.com/lists/oss-security/2014/10/23/5
    
The available information at the moment is that this is fixed in
binutils 2.25 (not yet available on the
http://ftp.gnu.org/gnu/binutils/ site), whereas new discoveries in
October 2014 might not all be fixed in 2.25. Regardless of the actual
content of 2.25, CVE-2014-8484 will remain a separate CVE.

http://openwall.com/lists/oss-security/2014/10/23/8 (i.e., the
five-byte S100\n file) is not, by itself, an attack that crosses
privilege boundaries in realistic circumstances, so this report is not
currently part of any CVE.


CVE-2014-8485 is for the current
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 content, i.e.,
incorrect "--n_elt / ++idx" code that makes the attachment 7846 and
attachment 7848 attacks possible.


The much earlier research by Tavis Ormandy is already covered by
CVE-2005-1704. There is also CVE-2006-2362, which is an unrelated
discovery.

There is currently no CVE ID for the
psa-dont-run-strings-on-untrusted-files.html "0xdeadbabe October 25,
2014 7:20 PM" comment about "another one related with PE file headers
parsing." In general, a separate discovery that's potentially
exploitable for code execution could have its own CVE ID. Does anyone
want a CVE ID for that?

Similarly, there are currently no CVE IDs for the
https://sourceware.org/bugzilla/show_bug.cgi?id=16825 versados.c
report. Does anyone want that report covered in CVE? Depending on
exploitability, it would have approximately two CVE IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUTW9VAAoJEKllVAevmvmswQ8IAIylWSMBjluWJVfD3DJtR8cf
ij8mT0ODIzBlX/Nki29QcaRP20iUChqk+TMh7xHCFUe2p3gHm3dY+AilQSJk7hCh
JYDC4yhKMe9bjA9YSnD8A9yUtDPww81wdOmdLHbKd31pN46pM3T6Bgu/IZv3zDbl
UcEtBH7kYTK5SbZalDccMLTnkoT+SrGkvfOwoyyp2yoHFJt2KNPaipza/BKLyARl
I4wVa/sv83FihpQy8Th7lEVXfltKISUU2rSCd7YZNRaxZeuUKEwni3eJkwzE7oDX
oyPVXd+uLoyh2GPO75qro9ZP3vd3hq5diyjZVP4loPhJNcEO88v+Xlw3mjEZgH0=
=+vIX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.