Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes

[Sverker Eriksson <sverker () erix ericsson se>]

Jan Lieskovsky wrote:
> Hello Steve, vendors,
>
>   based on:
>   [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857
>
>   and:
>   [2] http://www.erlang.org/download/otp_src_R14B.readme
>   [3] http://www.erlang.org/download/otp_src_R14B01.readme
>   [4] http://www.erlang.org/download/otp_src_R14B02.readme
>
> performed some initial issues review -- erlang-CVE-request.txt
> attached. But since not sure, which of those are real security
> flaws and how many CVE ids will be needed for those, Cc-ing
> also Erlang upstream developers to shed more light into this.
>
> The distribution of OTPs is as follows:
> =======================================
> Rickard Green:          OTP-8810, OTP-8781, OTP-8925, OTP-9005, OTP-8999
> Bjorn-Egil Dahlberg:    OTP-8814, OTP-8827, OTP-8943
> Sverker Eriksson:       OTP-8945, OTP-8716
> Patrik Nyblom:          OTP-7178, OTP-8780, OTP-8993
> Raimo Niskanen:         OTP-8729, OTP-8795
> Bjorn Gustavsson:       OTP-8831, OTP-8892, OTP-9117
> Niclas Axelsson:        OTP-9101
> Hans Bolinder:          OTP-8898
>
> Rickard, Bjorn-Egil, Sverker, Patrik, Raimo, Bjorn, Niclas, Hans,
> could you please have a look at the attached review file
> and reply which of the #20 OTPs in the list are security flaws
> (so we would know the count of CVE identifiers needed) and which
> are just bugs? (since you know the Erlang code better than me)
>
> Help / guidance from your side is really appreciated to resolve
> this one.
>
> Thank you in advance for your time and cooperation.
>
> Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team

I would consider both OTP-8945 and OTP-8716 to be security flaws.

/Sverker, Erlang/OTP