oss-sec mailing list archives
Re: CVE assignment for c-icap Server
From: cve-assign () mitre org
Date: Mon, 15 Sep 2014 11:28:12 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://sourceforge.net/p/c-icap/bugs/59/ i found the bug in the parse_request() function. Please see the details in the attachment.
<Peter Berestov> pberestov () gmail com If a buffer doesn't contain " " or "?" then the *end pointer will increase The pointer can leave the area of memory allocated for the buffer.
Use CVE-2013-7401 for this specific issue discovered by Peter Berestov.
chtsanti 2013-10-02 This bug and many other related fixed in trunk with patches: r1018 and r1021. http://sourceforge.net/p/c-icap/code/1018/ Fix multiple problems on parsing ICAP requests. In many cases the c-icap may crash if not found a normal ICAP request.
Use CVE-2013-7402 for the chtsanti discoveries, i.e., the other issues in the pre-r1018 code that made a remote crash possible. This might, for example, include attack vectors with invalid method names. There is no CVE ID for the http://sourceforge.net/p/c-icap/code/1021 issue. This seems to be a usability problem that was introduced by the first version of the security fixes. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUFwT6AAoJEKllVAevmvmsIoEH/AnEdl+oKCBmSfWw/ixQonyY pKmh4HF1OTh3AsC1tJ88hbDasvr3ZpvPcmPbFtLoRkB5IgFBrCfiAWMAbp3h3gp8 HyCaaz/im7D+gJuDDf1fxCyCqt8pG+Haffk0QGMAVnmbkCyk4NWMt20OXXj/lV/k G0sXNLwl3J4f/BdjzcjMISZzq1qYq785epzyDycNKynpYA7z3e1fjesJyZ/wB2T5 O9bkjXRuhmjzbSTxYLAwXURVl4c7BWqJJASPq84UDg+R/pW5y3/OUMRrGJ2t79Rp bAPDDp3mo47PutGcbKTJsZqg2Lu/UJmxvxk+ximP5VeB4MqFcwZv0tVi4byxPx8= =WCEN -----END PGP SIGNATURE-----
Current thread:
- CVE assignment for c-icap Server Kristian Fiskerstrand (Sep 01)
- Re: CVE assignment for c-icap Server Kristian Fiskerstrand (Sep 14)
- Re: CVE assignment for c-icap Server cve-assign (Sep 15)