|
Message-Id: <20151103200523.E8C2272E00E@smtpvbsrv1.mitre.org> Date: Tue, 3 Nov 2015 15:05:23 -0500 (EST) From: cve-assign@...re.org To: kristian.fiskerstrand@...ptuouscapital.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: pycurl use after free fixed in version 7.19.5.2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://github.com/pycurl/pycurl/commit/602f8e364634d386524f0396e962c2c9de0536a9 > > my understanding is that use-after-free generally gets assigned a CVE > based on CWE 416 There isn't that type of direct relationship between the existence of a CWE ID and the availability of a CVE ID for an instance of the weakness. CVE, for example, involves additional decision points about whether the weakness is a mistake (here, yes) and about whether the weakness is exploitable in a way that crosses a privilege boundary (here, possibly not). It's also necessary that the vulnerability existed in something akin to "shipped code." The patch seems to be possibly related to "PyTuple" and the ChangeLog has "List and tuples are now accepted in all positions of HTTPPOST option values" for the same version. If the problem only existed in unshipped code between 7.19.5.1 and 7.19.5.2 as tuple support was being developed, then it typically would not have a CVE ID. > I haven't looked into the code in any detail for exploitability Anyone is welcome to provide additional analysis. We can accept a threat model in which a Python script allows an untrusted person to control the string data for properly formed setopt calls. We probably can't accept an implausible threat model in which a Python script allows an untrusted person to make improperly formed setopt calls. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWORI9AAoJEL54rhJi8gl5jNUQALG063HFSrdfMbFire7l1S+/ GU/KMqaHAr2zM+GYNevtUyrid/B9A1wQ4WRcKE5HkGrD5OrEWwLyajdVjdnIHk9R qxI8nmHNQi4r2x6JUx6KuuL774NmjVU0IIJHJ6+ca6Z9ZXRI6snZWnBVxBeUerNp DhJiuo/VQ6fFJUrT0RrudiG7neG6ml33KsgZ0eMFQWOLejLetVoVJT5l0N9LWkJ6 clyywFN8c+OeDjQxRfnDuvBPnzr4D+YB8US+d9suDiRR9vWHxyKMqj58rTr+UVn4 y/NGqCpV+c8DFx64s08pKNOxKy61Sa+xHsEu3OokIpqVmbrw/aAogLrJBdE1hYBM oaoI8DqbO7kb2y80WEpzeSpXinpeP9dfD3p6dTtnNhfRSGUKp9vGnw1+XnPAylE6 qm9NfSE8laViO888lCFPFcGq26bIuhzkPMaVbtv5XN3onePnZj7gSat6Bk8kRNPE Dwjac094EmRrvE2ve4ABEYlxxDyyazRF57BfRPUQVfgPytQX17ed1TPfTyjHTB6U 9d4YHie9z4ud7NR+C8QZjmCIybZnaCZJBodcfIAyIpVH1OXP7a4kr0vy2FaEWA8R nPPqp65Y8BKdfzjKcVk1AbrDkvg/tpZAYWWM++8Yk+dunouCdnjXeJFjphmJuac1 fKRoWuusiPUA6aACQki0 =AH8p -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.