Re: Cve issue discussion

[Glenn Randers-Pehrson <glennrp () gmail com>]

Do memory-exhaustion bugs get a CVE?  Suppose an application is fooled
into requesting 2Gb of memory but then never uses it other than
attempting to read it, immediately hitting EOF, and cleaning up.

I'm addressing such a bug in libpng right now, in which the user
is sent a PNG file containing a tEXt chunk that claims to have a 2GB
length (but none of the 2GB data is included in the PNG).  On my
platform libpng deals with that almost instantaneously, but I think
some platforms (ASAN builds?) would actually allocate the memory
before proceeding to read the data.

Glenn


On Mon, Aug 7, 2017 at 5:47 AM, ne xo <nexo123 () outlook kr> wrote:
> Hello,
>
> thank you for the reply!
>
> I chose the report at random.
>
> I'm sorry if I was offended to mention the report.
>
> Thanks.
> <http://aka.ms/weboutlook>
> ________________________________
> 보낸 사람: Agostino Sarubbo <ago () gentoo org>
> 보낸 날짜: 2017년 8월 7일 월요일 오후 4:42:05
> 받는 사람: oss-security () lists openwall com
> 제목: Re: [oss-security] Cve issue discussion
>
> On Monday 07 August 2017 01:03:53 ne xo wrote:
> > Hello,
> >
> >
> > I am curious about issuing CVEs.
> >
> > I can see that a "NULL pointer dereference" or a bug where the exploit has
> > not been verified also get a CVE.
>
> > heap-overflows may or may not be exploitable.
> >
> >
> > It takes a lot of time to analyze the exploit and create the exploit code.
> >
> >
> > Is it right to be assigned a CVE only if it is exploitable?
> >
> >
> > Or do you think all bugs need to get a CVE?
> >
> >
> > Thanks.
> >
> > ---
> >
> > ref
> >
> > ---
> >
> > [1]http://www.openwall.com/lists/oss-security/2017/04/10/17 - NULL pointer
> > dereference
> > [2]http://www.openwall.com/lists/oss-security/2017/04/10/15 -
> > memory allocation failure
>
> Hi.
>
> Since you mentioned some issues reported by me, let me answer directly.
> For the first, it is an undefined behavior, so actually you don't see the
> crash.
> Nowadays, the undefined behavior issues do not get anymore a CVE.
>
>
> For the second, ASAN reports that the program want to use more that 64GB of
> ram to execute the process so ASAN hangs the process. In this case is up to
> the maintainer check whether there is a problem in the code or not, or it is
> expected. The better double-check would be verify what happens without ASAN.
>
> I'd like also to mention that MITRE assigns CVE after they analyze the
> reported issue, so if an issue does not deserve a CVE, MITRE probably won't
> assign accompanied by an explanation.
>
> --
> Agostino Sarubbo
> Gentoo Linux Developer