Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <55378cfd01cb465480674eec75226bf6@imshyb02.MITRE.ORG>
Date: Mon, 5 Dec 2016 17:13:43 -0500
From: <cve-assign@...re.org>
To: <meissner@...e.de>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: zlib security issues found during audit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib
> https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
> https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit

> had some findings (1 medium, 4 low)

Here are 4 CVE IDs; it is not a one-to-one mapping.

> Finding 1: Incompatible declarations for external linkage function deflate (Medium)
> Fix: https://github.com/madler/zlib/commit/3fb251b363866417122fe54a158a1ac5a7837101

We feel that the scope of CVE should, ideally, omit unexploitable
code-quality issues. The PDF report has a number of comments about
Finding 1; however, one comment is "current compilers process this
code without issues." A finding can be important to the practice of
software development without being important for vulnerability
management. For now, the answer is that there is no CVE ID.


> Finding 2: Accessing a buffer of char via a pointer to unsigned int (Low)
> UNRESOLVED:This issue remains under discussion

There is no CVE ID. The PDF report mentions, for example, "There are several
possible fixes ... Do nothing."


> Finding 3: Out-of-bounds pointer arithmetic in inftrees.c (Low)

> https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0

Use CVE-2016-9840.


> https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb

Use CVE-2016-9841.


> Finding 4: Undefined left shift of negative number (Low)
> Fix: https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958

Use CVE-2016-9842.


> Finding 5: Big-endian out-of-bounds pointer (Low)
> Fix: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811

Use CVE-2016-9843.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYReVZAAoJEHb/MwWLVhi22fMP/j6Pw7FkFDrKLjy/okWP/QoM
imxWROlUse9/xACgcA+9eMiGbkm54ntx20bpEWOAUA8+H1KW+bvCrcFX3a6d1IuE
vVrI0XcKQiKwVngem5XPEcvtAwFa85U4RUFZmYcqPYe7n0Yo7LoWwH9HI6/8Mziq
yGIKgcPfY88FA8YM0DeSmkwQJ7WByKF4TzoChd6pK2NlwP1SFa2lMgrg4JhM9PAs
9d2ye1OkVvVV1BPnjhVFe8S0Ze8IeOy1jeKS4lUbpgIZn4WdbERQ3ORAPuhRxAdZ
mn7/MbulenkQKd3vnEKmA8qK5p/h6E8jnCUCbasgAtsareZHgPmDd7NON3LmmAYG
q0X8Rrk13i2h+gpGVJlT7D4Gx/n3gIEBbSKNmBIPjQmXH/sOQN/0XLls/Cock4Pm
mjw3mIFLu/CQ1JNBdMQpY9zMpAHQzMX0qAfiJa0f/UfaN4k8A6uQAJWWskl48aBs
xp/dz2nOVJcCwmbmkKsfied610QLC8yXwXGmh+TTPxpSXxkr0+o3r5m8S7sjkMJA
Uuctv6UEKx6wqJum1G7UDcpkQVzSJOXvZ2TKzMhHirjfrUlg7Bfg31kQj0IfKicn
VeLM3IBnrvl08u1Dpi9A62YSPtuQQZ+8XqcVfUB/0Wf+0uaV/Wp5as0ylPWMlpBK
9foWchAV8inhIVAMDbwQ
=P6rB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.