Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

[cve-assign () mitre org]

> On 28/01/15 06:57 PM, Huzaifa Sidhpurwala wrote:
> > On 01/29/2015 03:17 AM, Florian Weimer wrote:
> >
> > > > Use CVE-2012-6686 for "unbound alloca use in glob_in_dir" as covered
> > > > by Red Hat Bugzilla ID 797096.
> > >
> > > Oh, it seems Huzaifa posted the wrong Bugzilla reference.
> >
> > Yes, sorry wrong bz.
> >
> > > We still need assignment for this fix:
> > >
> > >   <https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7>
> > >
> > > The matching Red Hat Bugzilla bug is:
> > >
> > >   <https://bugzilla.redhat.com/show_bug.cgi?id=981942>
> > The above is the correct bug  with the corresponding impact at:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1186614
> >
> > MITRE,
> >
> > Can we still use the above CVE for this issue?
>
> This would be a bad idea and lead to much confusion, especially for
> people that have already consumed this CVE and written up reports that
> in turn have been shipped to other people/etc.
>
> Can we REJECT this CVE if the issue is not a security issue, obviously
> if it is a security issue we should keep this CVE.

The scope of CVE-2012-6686 has already been explicitly identified, i.e. it 
is 797096.  If 797096 does not cover a security issue, or is a duplicate, 
then we would need to REJECT the CVE.

However, 797096 reports that the issue "can lead to program crashes if 
excessively long inputs are passed to certain functions."  This still 
sounds like it could be a vulnerability.

Is this already associated with a different CVE?  797096 points to 
RHBA-2013:0022, which maps to CVE-2013-4357.  However, 797096's title does 
not include CVE-2013-4357.

> Additionally if we can get a new CVE for Bz981942 that would be great,
> thanks!

There now appear to be two different requests for two separate Bugzilla 
IDs that might be discussing the same issue.  Please clarify.

BZ 1186614 is "glibc: Invalid-free when using getaddrinfo()".  It points 
to 
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7 
which is "Fix encoding name for IDN in getaddrinfo" and modifies 
gaih_inet() in sysdeps/posix/getaddrinfo.c by setting name=p and 
malloc_name=true.

CVE-2013-7424 is now assigned with the issue whose scope is defined by 
commit 2e96f1c7 / gaih_inet().  (A 2011 year is not used because 2e96f1c7 
does not clearly identify any security relevance.)

A separate Bugzilla ID, 981942, might be a duplicate.  It is titled "ping6 
with idn causes crash," includes Comment 4 (Carlos O'Donell 2013-07-08 
09:54:18 EDT) which references a discrepancy with upstream's "name = p;" 
fix in gaih_inet().  It also directly includes commit 2e96f1c7, which has 
now been associated with CVE-2013-7424/BZ1186614.  Yet, here in 981942, 
there is no apparent reference to 1186614.

Is 981942 a duplicate of CVE-2013-7424/BZ1186614, or is a separate CVE ID 
required?  If a new ID is required, please explain the difference.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]