oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 29 Jan 2015 00:03:00 -0700
On 28/01/15 06:57 PM, Huzaifa Sidhpurwala wrote:

On 01/29/2015 03:17 AM, Florian Weimer wrote:


Use CVE-2012-6686 for "unbound alloca use in glob_in_dir" as covered
by Red Hat Bugzilla ID 797096.


Oh, it seems Huzaifa posted the wrong Bugzilla reference.



Yes, sorry wrong bz.


We still need assignment for this fix:

  <https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7>

The matching Red Hat Bugzilla bug is:

  <https://bugzilla.redhat.com/show_bug.cgi?id=981942>

The above is the correct bug  with the corresponding impact at:
https://bugzilla.redhat.com/show_bug.cgi?id=1186614

MITRE,

Can we still use the above CVE for this issue?


This would be a bad idea and lead to much confusion, especially for
people that have already consumed this CVE and written up reports that
in turn have been shipped to other people/etc.

Can we REJECT this CVE if the issue is not a security issue, obviously
if it is a security issue we should keep this CVE.

Additionally if we can get a new CVE for Bz981942 that would be great,
thanks!



I haven't yet seen an upstream bug for it; this change happened before
upstream required bugs being filed for all user-visible changes.






-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: