oss-sec mailing list archives
Re: Re: CVE-Request -- Google Email App 4.2.2 remote denial of service
From: Hector Marco <hecmargi () upv es>
Date: Tue, 10 Feb 2015 15:28:16 +0100
El 09/02/15 a las 22:40, cve-assign () mitre org escribió:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1A bug in the stock Google email applicationIs the source code and fix in 4.2.2.0400 the same as in: https://src.chromium.org/viewvc/blink?revision=152293&view=revision ? If so, then it is an open-source vulnerability, and can have one CVE-2013-#### ID assigned here, even if the relevant HTTPParsers.cpp code is also bundled in one or more closed-source products. If it is independent source code that happens to have the same attack vector (the attack vector in http://hmarco.org/bugs/google_email_app_4.2.2_denial_of_service.html appears to be identical to the attack vector in the https://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/misc/resources/nearly-empty-content-disposition.php test), then revision 152293 could probably have a separate new CVE-2013-#### ID.
It is a different source code and fix. The source code is available in: https://android.googlesource.com/platform/packages/apps/EmailNote that the HTTPParsers.cpp is the file which parses the headers but in the Email App this is done by the MimeUtility.java.
It seems that the Chromium bug is very similar to the Email one, but I think the attack vector is different since in the first case, it can be exploited by sending an email and in the second case by visiting a website.
Regards, Hector Marco.
Current thread:
- CVE-Request -- Google Email App 4.2.2 remote denial of service Hector Marco (Feb 09)
- Re: CVE-Request -- Google Email App 4.2.2 remote denial of service Alexander Cherepanov (Feb 09)
- Re: CVE-Request -- Google Email App 4.2.2 remote denial of service cve-assign (Feb 09)
- Re: Re: CVE-Request -- Google Email App 4.2.2 remote denial of service Hector Marco (Feb 10)
- Re: CVE-Request -- Google Email App 4.2.2 remote denial of service cve-assign (Feb 11)
- Re: CVE-Request -- Google Email App 4.2.2 remote denial of service Hector Marco (Feb 11)
- Re: CVE-Request -- Google Email App 4.2.2 remote denial of service cve-assign (Feb 12)
- Re: CVE-Request -- Google Email App 4.2.2 remote denial of service cve-assign (Feb 15)
- Re: CVE-Request -- Google Email App 4.2.2 remote denial of service Hector Marco (Feb 16)
- Re: Re: CVE-Request -- Google Email App 4.2.2 remote denial of service Hector Marco (Feb 10)