Re: Possible CVE Request: Multiple stack overflows in squashfs-tools and sasquatch

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > As far as we can tell, there are two independent types of problems:

> > We would guess that the most likely case is that only 3 and 6 are
> > applicable, i.e., the code problems are found only in
> > unsquash-1.c/unsquash-2.c/unsquash-3.c/unsquash-4.c and all of these
> > files exist in both squashfs-tools and sasquatch. Is this correct?

> Yes, that is correct.

> >   - "int bytes" is incorrect because the return value of
> >     SQUASHFS_FRAGMENT_BYTES can be larger than the maximum
> >     value of a signed int

Use CVE-2015-4645.


> >   - pull/5 says "If we fix this by making the variable size_t, we run
> >     into an unrelated problem in which the stack VLA allocation of
> >     fragment_table_index[] can easily exceed RLIMIT_STACK" but
> >     actually RLIMIT_STACK can be exceeded regardless of the data type
> >     of the bytes variable

Use CVE-2015-4646.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVgvnhAAoJEKllVAevmvms1oMH/iee0wchZqLNcdv94boq7Nu3
5AWJOLkFZjxAZrlyPvKS0e5wpnRO8Crc9ERLq4ndEzg/l5SFn1QSqgQ4eve7BiR7
rReKZo3m67lLBjn2g+eODNgg+SRp0wxzFallB9UnjX5zaE282/toIIj4+7AvPpXN
DVEgh96AnIUr0NyI5CsUDp6LJj75m96HOVz3iV4tYsiu2RK03eOjpm2TX9gqj8yT
3AZiXAYx4TkHq34BZMh9zMl762vENMj3ylGfB+/PFUIoQYdilxEbfquX2szZP6KL
gLteXkodoHfFN2sagP0pg/t5CNRPeLOqJYW+C04k2/Je7DEglZoJnJq5FKEeRyI=
=iU1A
-----END PGP SIGNATURE-----