Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160630134439.2449D6C0AE6@smtpvmsrv1.mitre.org>
Date: Thu, 30 Jun 2016 09:44:39 -0400 (EDT)
From: cve-assign@...re.org
To: boehme.marcel@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, florian@...h-krohm.de, nickc@...hat.com, bschmidt@...hat.com
Subject: Re: CVE Request: No demangling of untrusted binaries (2)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A stackoverflow in the libiberty demangler causes its host application
> to crash on a tainted branch instruction. The problem is caused by a
> self-reference in a mangled type string that is "remembered" for later
> reference. This leads to an infinite recursion during the demangling.
> 
> * GDB exploitable classifies the stack overflow as exploitable.
> 
> * Bug Report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
> 
> * Patch under review: https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html
> 
> All vulnerabilities were found with a more efficient version of the AFL fuzzer, called AFLFast.

>> The patch tracks the mangled types that are currently being demangled
>> in a new variable called work->proctypevec. If a referenced type is
>> currently being demangled, the demangling is marked as not successful.

Use CVE-2016-6131.

As far as we can tell, there was only one vulnerability reported here.
We don't understand the reference to "All vulnerabilities were found
with" - this seems to imply more than one vulnerability. Also, we
don't understand the parenthesized numbers such as "No demangling of
untrusted binaries (2)" in the Subject line, and "Libiberty Demangler
segfaults (6)" and "Fix fir PR71696 in Libiberty Demangler (6)" in the
references.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXdSHOAAoJEHb/MwWLVhi2SOMP/37QfylN++UvAd0PdO/ZTc00
Vk+piwJvzeVoAv2Jp8ZwU1S4hj43LlXR9WrK0NX/lLUwId69Zao6faWGO203hDnz
4TrmvuRyVT7jT5df6NVadwOawEeEklRuI56fBnm7e09nuchLpg1314TsiyqmHo1C
Ca41bfkIj091KAKW3nKER37ALb2DG2dSfR4+9ksTaalhdDwaykKwy9eYHcbA7+Sd
76Dra1MRTGgHr+YTIrqASn+lXC/ar/+rqy81oUZK38XviK8rkK+oKY6ODz9DHmED
815kkv8iflHezxsEW5PSWP9oQ5C7wGD7bju480ziqZF/r8bjW5dwm5jeEiTd6XWj
b1R05LqhnldiaSlYT/TqaFz6Pbu3uEbTUjOqH/Sn85MHFLVKJ3ZeLOzYUamaDRN7
KcHQPNM2GW6zcJJax9UEd0qseCvmn04X9NrNNjL06RstrxGtLeFGRQjyRX83uRij
mue5U2pf27YSKeVTo3CHw/q65Xwe+a/uSOoJzGYnmkGdx2Eu/3DKLsCqxP9d5BA2
jY+MnwkvctJpBzy6kxfeSGJkZ/N7np/yzD6k/hfJrGEgTaB7qfZ8NeHX3WTjiT73
MvkAAvICRwnLRN93buvCwMDQNl4xOSCVg3eK2slpxFxaU6/dsH/W+BUN20/Gkmf6
dsWpgmbMAUIb6gmzPCR2
=De4P
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.