Re: CVE Request : NAS v1.9.3 multiple Vulnerabilites

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/16/2013 12:44 AM, Hamid Zamani wrote:
> Hello,
>
> recently i reported some vulnerabilities in Network Audio System
> (NAS) - v1.9.3
>
> These vulnerabilities reported at :
>
> http://radscan.com/pipermail/nas/2013-August/001270.html
>
> and 3 fix on upstream :
>
> https://sourceforge.net/p/nas/code/288/ 
> https://sourceforge.net/p/nas/code/287/tree//trunk/server/os/utils.c?diff=517ad7dc2718467b12eafbad:286
https://sourceforge.net/p/nas/code/289/tree//trunk/server/os/connection.c?diff=517ad7dc2718467b12eafbad:288
> is it possible to assign a CVE for these ?
>
> Thank you

Ok so we got a total of three kinds of vulns, so same
version/researcher I'm CVE MERGEing them:

Buffer Overflows please use CVE-2013-4256
Heap Overflow please use CVE-2013-4257
Format String please use CVE-2013-4258

As for "Possible Race Condition and symlink attack:" can we confirm
it's a security issue?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSEn2bAAoJEBYNRVNeJnmTvlwP/Rt7ANxxSsEybZd77UMs/Nms
HDTRrOWzXq4etxSwO9bDQca6GxCfs58IzJk9WoTDGnVoTagMl2cQJQ/IAIEbL/ty
IbLa6iaLF2Ovi3PFH22M/X5ui8rXvymfRiz1k1zI52+lKPo9yWxxhSSNAVaaD+LE
k2MP+ZCckVlzKbrvSubHkntTQszKkOPZkVw1LSUnw8y0Gg9gqmqZM2uPcrG4RgiH
ECBavkSxumGd2TvzCusD+QAYHgYsGDWJ1VBx1QZx/ZgLnPOsa9cVk5er59b1e2cf
LVxPiC9USQRISr//Amb5NYktojbSYZUt6YTEknsdyu9PasjEbS4zF5iBqn0d57BI
PpfABLItMg/7loz1+eUk02BkgaHIYajJVVnrOwcGOxtiqrJM9JtvSW280cJ6TCOZ
ZDio2Rnmf0CFIPYzAG6MegQ/cXn53AyS5r114Ge5PEw50wGK19SIsNAzOMXOoj1P
gi34o10PID0DxX7MY5aVDBOLqiWnrq7w4y6gsi20JrebZMivZvRtHv8QjdNURdxH
tkceuAs8S3g7tsCZNjn3nnQ35l/wsp9ouWCyiZhlbWFIbX+YBR8tSGkylSVyS4eo
FWksNykZT3wwE9BbSUKk0bEGSLrmFahU/t0r5QoGVWPDfvbjQPKShX3aGENSir8t
9LAJqDk+MPb78WE/bMjU
=qxsJ
-----END PGP SIGNATURE-----