Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20161027064453.D3E771BE040@smtpvbsrv1.mitre.org>
Date: Thu, 27 Oct 2016 02:44:53 -0400 (EDT)
From: cve-assign@...re.org
To: gustavo.grieco@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: librsvg and cairo are causing libpng to write out-of-bounds

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A patch was recently proposed:
> 
> https://bugs.freedesktop.org/attachment.cgi?id=127421
> 
> thanks to John Bowler and his detailed analysis of this issue:
> 
> https://bugs.freedesktop.org/show_bug.cgi?id=98165
> 
> Can we have a CVE, now that we know it was an integer overflow and we have
> a patch?

Yes, use CVE-2016-9082 for everything fixed by
attachment.cgi?id=127421. Our understanding is that cairo is the
primary affected product.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYEaIXAAoJEHb/MwWLVhi2F84P/RGLhyp408cPps8/bkAIzpL5
zJ8/+sqWYlVfYt+Mwcd4InGIzxHhaBRtPbX7c8FsWRhySib7QRadPdnp4U9xUNXP
o7Z4kV55WIaJhqo5soJT0kMBoI+itrktfJHFsyWnX3KGPvrsc+lembzQ0313Bw8f
G8KSmcSIfEBChOPdqezTsVHggDpwPdmXjBrNrd44WbQJA95oUz9dr9VPknSX52Bw
eBUJRuZ19EV3qlwaw0zrZcme1oqReyELGj8LRBLXGIbEbKfX9azjnHefWJXQW8qr
N3iWWoKSHe2RMo61FcG0T75AVF+A8SCsnbrWsmR4tDMmV98KNqdEoBZmvqH0wrBH
1A3pfvLYE4b9y6IsuWOjSvncvnxaWjHL+U0Vl7ndvHjWUWx6FTXkNLy6+YtxOu7D
wTfMhCSjaXtGoQS6yXYTJlHO1iFE9E3b/7p7Bn/Wgztba78OUUZQyVf4+jT49YQg
dO3OlSx0piN/VSg3ow6+YBHcN9Hr4abgRjFQD9stw2Ski8AOnGZ6vAn5XYqP9xLG
xbWdGECCFX3WlTrQwW/2yKV4B1QndNeqvnhYFTEKNxePPI4236mTHC49mP64SFVG
qALbGd+izC6KRtK1TG6jmFze8wQ1zyfCg3pWd0wottDwoSDOIkUGLv+6U5Cpqz6O
nve18XRyf0Tm9+hQQ8/X
=3wl0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.