Re: CVE assignment for c-icap Server

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://sourceforge.net/p/c-icap/bugs/59/
> i found the bug in the parse_request() function.
> Please see the details in the attachment.

> <Peter Berestov> pberestov () gmail com
> If a buffer doesn't contain " " or "?" then the *end pointer will increase
> The pointer can leave the area of memory allocated for the buffer.

Use CVE-2013-7401 for this specific issue discovered by Peter
Berestov.


> chtsanti 2013-10-02
>
> This bug and many other related fixed in trunk with patches:
> r1018 and r1021.
>
> http://sourceforge.net/p/c-icap/code/1018/
>
> Fix multiple problems on parsing ICAP requests. In many cases the c-icap may
> crash if not found a normal ICAP request.

Use CVE-2013-7402 for the chtsanti discoveries, i.e., the other issues
in the pre-r1018 code that made a remote crash possible. This might,
for example, include attack vectors with invalid method names.

There is no CVE ID for the http://sourceforge.net/p/c-icap/code/1021
issue. This seems to be a usability problem that was introduced by the
first version of the security fixes.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUFwT6AAoJEKllVAevmvmsIoEH/AnEdl+oKCBmSfWw/ixQonyY
pKmh4HF1OTh3AsC1tJ88hbDasvr3ZpvPcmPbFtLoRkB5IgFBrCfiAWMAbp3h3gp8
HyCaaz/im7D+gJuDDf1fxCyCqt8pG+Haffk0QGMAVnmbkCyk4NWMt20OXXj/lV/k
G0sXNLwl3J4f/BdjzcjMISZzq1qYq785epzyDycNKynpYA7z3e1fjesJyZ/wB2T5
O9bkjXRuhmjzbSTxYLAwXURVl4c7BWqJJASPq84UDg+R/pW5y3/OUMRrGJ2t79Rp
bAPDDp3mo47PutGcbKTJsZqg2Lu/UJmxvxk+ximP5VeB4MqFcwZv0tVi4byxPx8=
=WCEN
-----END PGP SIGNATURE-----