oss-sec mailing list archives
Re: Old cscope buffer overflow
From: Tomas Hoger <thoger () redhat com>
Date: Wed, 6 May 2009 18:49:22 +0200
On Wed, 6 May 2009 11:49:14 -0400 (EDT) "Steven M. Christey" <coley () linus mitre org> wrote:
If you're preparing cscope updates for CVE-2009-0148 and you may still be shipping packages based on 15.5, you may want to have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=499174 Steve, as the first public report for this is from 2006: https://bugzilla.redhat.com/show_bug.cgi?id=189666 I believe 2006 CVE id is needed here.We recently updated CVE-2009-0148 for overflows in cscope before 15.7a. Is this the same issue, or do we need a different one? This seems to be distinct from CVE-2006-4262 as well...
Different from both. CVE-2009-0148 is more of a dupe / re-occurrence / incomplete fix of even older CVE-2004-2541. Some vendors originally addressed that via sprintf -> snprintf across whole sources. Upstream instead preferred to use "%.*s" with bit of length math to avoid overflow and not harm portability. Though the math could int underflow, still allowing buffer overflow. BZ#189666 issue was fixed upstream in 15.6. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Old cscope buffer overflow Tomas Hoger (May 05)
- Re: Old cscope buffer overflow Steven M. Christey (May 06)
- Re: Old cscope buffer overflow Tomas Hoger (May 06)
- Re: Old cscope buffer overflow Steven M. Christey (May 06)
- Re: Old cscope buffer overflow Tomas Hoger (May 06)
- Re: Old cscope buffer overflow Steven M. Christey (May 06)