oss-sec mailing list archives
Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 29 Jan 2015 00:03:00 -0700
On 28/01/15 06:57 PM, Huzaifa Sidhpurwala wrote:
On 01/29/2015 03:17 AM, Florian Weimer wrote:Use CVE-2012-6686 for "unbound alloca use in glob_in_dir" as covered by Red Hat Bugzilla ID 797096.Oh, it seems Huzaifa posted the wrong Bugzilla reference.Yes, sorry wrong bz.We still need assignment for this fix: <https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7> The matching Red Hat Bugzilla bug is: <https://bugzilla.redhat.com/show_bug.cgi?id=981942>The above is the correct bug with the corresponding impact at: https://bugzilla.redhat.com/show_bug.cgi?id=1186614 MITRE, Can we still use the above CVE for this issue?
This would be a bad idea and lead to much confusion, especially for people that have already consumed this CVE and written up reports that in turn have been shipped to other people/etc. Can we REJECT this CVE if the issue is not a security issue, obviously if it is a security issue we should keep this CVE. Additionally if we can get a new CVE for Bz981942 that would be great, thanks!
I haven't yet seen an upstream bug for it; this change happened before upstream required bugs being filed for all user-visible changes.
-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235), (continued)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Qualys Security Advisory (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Marek Kroemeke (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Florian Weimer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Filip Palian (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Huzaifa Sidhpurwala (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) cve-assign (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Florian Weimer (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Huzaifa Sidhpurwala (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Kurt Seifried (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) cve-assign (Jan 29)
- Please REJECT CVE-2012-6686 Florian Weimer (Feb 24)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Florian Weimer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Raphael Geissert (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Paul Pluzhnikov (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Yves-Alexis Perez (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Sven Kieske (Jan 29)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Kurt Seifried (Jan 29)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Hanno Böck (Jan 29)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Paul Pluzhnikov (Jan 29)