oss-sec mailing list archives
Re: CVE Request: t1utils: buffer overflow in set_cs_start
From: cve-assign () mitre org
Date: Fri, 22 May 2015 15:08:03 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://github.com/kohler/t1utils/blob/master/NEWS https://bugs.debian.org/779274 https://github.com/kohler/t1utils/issues/4 https://github.com/kohler/t1utils/commit/6b9d1aafcb61a3663c883663eb19ccdbfcde8d33 https://bugzilla.redhat.com/show_bug.cgi?id=1218365#c7
t1disasm: buffer overflow in set_cs_start
As far as we can tell, versions before 1.39 had two different instances of the unchecked "while (!isspace(*q) && *q != '{')" loop. One of them, found by a researcher using afl-fuzz, was in the set_cs_start function in t1disasm.c. The other, apparently found manually by the vendor, was in the main function of t1asm.c. There are similar situations in which there might have been two CVE IDs assigned. Here, however, we feel that there should be only one CVE ID, because it seems extremely unlikely that t1disasm.c and t1asm.c had independent mistakes. Almost certainly, the mistake was made once and then copied from one file into the other. Use CVE-2015-3905. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVX34lAAoJEKllVAevmvmscB8IAKAm+NMB+m8t9pLHGDS7M4Ks QIaWmNEGPDNr+2JXWp3j5OUSty3cRNPg6OU2pjinnT7N7kIOVYdtKkAqxbvW+yIJ B7w5j6IS7GdOO+X/zmt9/aP/4OZIxGOgDo++VBHN5Ozv4DxETecL2YN1grstr+/T jMBXlUkXfaNaZBGWfJj5b1ys4dcjXMyVWKqie0orB2enZI2qCKdSV6RvcOJPn9CA lK0wCJJ5tPgHaJbgcwM550dDMV+9jPqY0IP+cn7OddPIUXkW9PDh7u4loOVA+bR2 tvqoOv9ygOVxqj7SDpkQlMDhvIyItb7sadEbPjM6HFEL88rn+4vjw7z7MxjXP/E= =5vl2 -----END PGP SIGNATURE-----
Current thread:
- CVE Request: t1utils: buffer overflow in set_cs_start Salvatore Bonaccorso (May 13)
- Re: CVE Request: t1utils: buffer overflow in set_cs_start cve-assign (May 22)