oss-sec mailing list archives
Re: CVE Request coreutils
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 21 Jan 2013 11:16:58 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/21/2013 07:59 AM, Michael Tokarev wrote:
21.01.2013 18:54, Sebastian Krahmer wrote:Hi, Can someone assign a CVE id for a buffer overflow in coreutils? Its the same code snippet (coreutils-i18n.patch) and it affects sort, uniq and join:It's probably worth to mention that these are SuSE-specific and not in upstream, if I understand correctly.https://bugzilla.novell.com/show_bug.cgi?id=798538 https://bugzilla.novell.com/show_bug.cgi?id=796243 https://bugzilla.novell.com/show_bug.cgi?id=798541Thanks, /mjt
I'm not clear on exploitation. You would have to run sort/uniq/join against attacker supplied input, and then the sort/uniq/join binaries would crash. Is there any code execution possible? In general DoS's in user programs doesn't get CVE's unless the user program loads remote content easily/commonly (e.g. email/web browsers). Although I could be wrong, STeve can you confirm that these issues don't need a CVE? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ/YYaAAoJEBYNRVNeJnmTpAIQAMVV7HiKZ+Pq2YMnVVV3CD1k YUPr3ruhmW9CFhmgbKfH3sgrp9LxaDWRyLo5nCg1SOy4m2rE9UNpT89AcbVv5gz4 rlhAFZkZsjfjMjd12Ak/qNwzoGlOJEQPVu6GNv5O1TnpzGglQeEudLxxnleJmWdE zf/CJHESrWOIaJRi/BlsPzA1ur3QP78k2wJ5+J1B0ZSybqNAtv1EhoIzIoEv9CXS 9Lq/LYi2HcIH6dEFxLKoiva6N2R3iT2IkvS7iP+hiorc+qey6U3WWVqwuRPQjnBs RKjcV33JzZMSx/dJ2UfSxAcReBW6QKtLP1Gt2aREctBb5KkSSVL+tYp+L/KTF5FP toJa05BTv2EkZ+sqFfny0vZ1hmiAj4e9x7WPKfPcOBZkUB89CpqMjURsqdLx/4wJ UCvX3SMXyrNEdcwAEHIGkYyqGvt5iH7sT3Fs4oUvxXSoOPHJjtmcsT04OYaB/YjM W8bVH+WhT5ZA7zk3ePOLOmW7amx2nKN+yEZrbKy2C1sXJe605U+1MBvm5xwJFjkE RTV2s2CvxciR1WuYMacDX+HgWxifQcpr8hFdISYZxvvZo2egN+52dJS1+BjWdsf1 /JSUpIWUg7Wy3JaA2qf7Q/uCtPcB0oTiBrT65vxJISl1nA/IQHXwtWZ3RI5dfvyt JtbC/DuLBeoklmfgx+TT =UBrB -----END PGP SIGNATURE-----
Current thread:
- CVE Request coreutils Sebastian Krahmer (Jan 21)
- Re: CVE Request coreutils Michael Tokarev (Jan 21)
- Re: CVE Request coreutils Kurt Seifried (Jan 21)
- Re: CVE Request coreutils Matthias Weckbecker (Jan 22)
- Re: CVE Request coreutils Kurt Seifried (Jan 23)
- Re: CVE Request coreutils Moritz Muehlenhoff (Jan 21)
- Re: CVE Request coreutils Vincent Danen (Jan 21)
- Re: CVE Request coreutils Kurt Seifried (Jan 21)
- Re: CVE Request coreutils Sebastian Krahmer (Jan 21)
- Re: CVE Request coreutils Vincent Danen (Jan 22)
- Re: CVE Request coreutils Sebastian Krahmer (Jan 22)
- Re: CVE Request coreutils Vincent Danen (Jan 23)
- Re: CVE Request coreutils Florian Weimer (Jan 22)
- Re: CVE Request coreutils Vincent Danen (Jan 21)
- Re: CVE Request coreutils Michael Tokarev (Jan 21)