oss-sec mailing list archives
Re: About CVE-2012-5645
From: Marko Lindqvist <cazfi74 () gmail com>
Date: Sun, 30 Dec 2012 13:05:42 +0200
On 30 December 2012 05:48, Kurt Seifried <kseifried () redhat com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2012 05:26 PM, Marko Lindqvist wrote:I saw message that Freeciv bug #20003 has been assigned CVE-2012-5645 : http://seclists.org/oss-sec/2012/q4/484 I'd like to clarify things a bit. It was not single issue, but more like two separate issues. Most importantly this leads to patch listed (http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670) to fix only part of the problems described. Something like: A denial of service flaw was found in the way the server component of Freeciv, a turn-based, multi-player, X based strategy game, processed certain packets (invalid packets with whole packet length lower than packet header size). A remote attacker could send a specially-crafted packet that, when processed would lead to freeciv server to terminate (due to memory exhaustion) The other half: A denial of service flaw was found in the way the server component of Freeciv, a turn-based, multi-player, X based strategy game, processed certain packets (syntactically valid packets, but whose processing would lead to an infinite loop). A remote attacker could send a specially-crafted packet that, when processed would lead to freeciv server to become unresponsive (due to excessive CPU use). is fixed in http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701 Both are fixed in 2.3.3 (and patch versions applied to the stable branch S2_3 release was made from: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672 , http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21703 ) - MLHmm I'm waffling here. The issues are the same version/reporter, roughly the same, can you post the http://cwe.mitre.org/ identifiers for these two issues? If they are different enough this might warrant a CVE split but for now I'm leaving it merged.
Yes, had it fixes for both parts listed from the start, there would be no problem. The problem is the confusion over where CVE-2012-5645 is really fixed. Based on the original description here some distributions claim CVE-2012-5645 fixed now that they have applied one patch only. If you just add second fix to CVE-2012-5645, there will be no way of telling if particular logmsg about "CVE-2012-5645 fixed" means it's fixed completely, or only half of it. - ML
Current thread:
- About CVE-2012-5645 Marko Lindqvist (Dec 21)
- Re: About CVE-2012-5645 Kurt Seifried (Dec 29)
- Re: About CVE-2012-5645 Marko Lindqvist (Dec 30)
- Re: About CVE-2012-5645 Kurt Seifried (Dec 30)
- Re: About CVE-2012-5645 Marko Lindqvist (Dec 30)
- Re: About CVE-2012-5645 Kurt Seifried (Dec 29)