Re: Cve issue discussion

[Marcus Meissner <meissner () suse de>]

Hi,

if it could crash the image reader I would consider it "remote denial of service"
classed and CVE worthy. 

Ciao, Marcus
On Mon, Aug 07, 2017 at 08:15:14AM -0400, Glenn Randers-Pehrson wrote:
> Do memory-exhaustion bugs get a CVE?  Suppose an application is fooled
> into requesting 2Gb of memory but then never uses it other than
> attempting to read it, immediately hitting EOF, and cleaning up.
>
> I'm addressing such a bug in libpng right now, in which the user
> is sent a PNG file containing a tEXt chunk that claims to have a 2GB
> length (but none of the 2GB data is included in the PNG).  On my
> platform libpng deals with that almost instantaneously, but I think
> some platforms (ASAN builds?) would actually allocate the memory
> before proceeding to read the data.
>
> Glenn
>
>
> On Mon, Aug 7, 2017 at 5:47 AM, ne xo <nexo123 () outlook kr> wrote:
> > Hello,
> >
> > thank you for the reply!
> >
> > I chose the report at random.
> >
> > I'm sorry if I was offended to mention the report.
> >
> > Thanks.
> > <http://aka.ms/weboutlook>
> > ________________________________
> > 보낸 사람: Agostino Sarubbo <ago () gentoo org>
> > 보낸 날짜: 2017년 8월 7일 월요일 오후 4:42:05
> > 받는 사람: oss-security () lists openwall com
> > 제목: Re: [oss-security] Cve issue discussion
> >
> > On Monday 07 August 2017 01:03:53 ne xo wrote:
> > > Hello,
> > >
> > >
> > > I am curious about issuing CVEs.
> > >
> > > I can see that a "NULL pointer dereference" or a bug where the exploit has
> > > not been verified also get a CVE.
> >
> > > heap-overflows may or may not be exploitable.
> > >
> > >
> > > It takes a lot of time to analyze the exploit and create the exploit code.
> > >
> > >
> > > Is it right to be assigned a CVE only if it is exploitable?
> > >
> > >
> > > Or do you think all bugs need to get a CVE?
> > >
> > >
> > > Thanks.
> > >
> > > ---
> > >
> > > ref
> > >
> > > ---
> > >
> > > [1]http://www.openwall.com/lists/oss-security/2017/04/10/17 - NULL pointer
> > > dereference
> > > [2]http://www.openwall.com/lists/oss-security/2017/04/10/15 -
> > > memory allocation failure
> >
> > Hi.
> >
> > Since you mentioned some issues reported by me, let me answer directly.
> > For the first, it is an undefined behavior, so actually you don't see the
> > crash.
> > Nowadays, the undefined behavior issues do not get anymore a CVE.
> >
> >
> > For the second, ASAN reports that the program want to use more that 64GB of
> > ram to execute the process so ASAN hangs the process. In this case is up to
> > the maintainer check whether there is a problem in the code or not, or it is
> > expected. The better double-check would be verify what happens without ASAN.
> >
> > I'd like also to mention that MITRE assigns CVE after they analyze the
> > reported issue, so if an issue does not deserve a CVE, MITRE probably won't
> > assign accompanied by an explanation.
> >
> > --
> > Agostino Sarubbo
> > Gentoo Linux Developer

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 
53-432,,serv=loki,mail=wotan,type=real <meissner () suse de>