oss-sec mailing list archives
Re: CVE Request: zlib security issues found during audit
From: <cve-assign () mitre org>
Date: Mon, 5 Dec 2016 17:13:43 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib https://wiki.mozilla.org/images/0/09/Zlib-report.pdf https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit
had some findings (1 medium, 4 low)
Here are 4 CVE IDs; it is not a one-to-one mapping.
Finding 1: Incompatible declarations for external linkage function deflate (Medium) Fix: https://github.com/madler/zlib/commit/3fb251b363866417122fe54a158a1ac5a7837101
We feel that the scope of CVE should, ideally, omit unexploitable code-quality issues. The PDF report has a number of comments about Finding 1; however, one comment is "current compilers process this code without issues." A finding can be important to the practice of software development without being important for vulnerability management. For now, the answer is that there is no CVE ID.
Finding 2: Accessing a buffer of char via a pointer to unsigned int (Low) UNRESOLVED:This issue remains under discussion
There is no CVE ID. The PDF report mentions, for example, "There are several possible fixes ... Do nothing."
Finding 3: Out-of-bounds pointer arithmetic in inftrees.c (Low)
https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
Use CVE-2016-9840.
https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb
Use CVE-2016-9841.
Finding 4: Undefined left shift of negative number (Low) Fix: https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958
Use CVE-2016-9842.
Finding 5: Big-endian out-of-bounds pointer (Low) Fix: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811
Use CVE-2016-9843. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYReVZAAoJEHb/MwWLVhi22fMP/j6Pw7FkFDrKLjy/okWP/QoM imxWROlUse9/xACgcA+9eMiGbkm54ntx20bpEWOAUA8+H1KW+bvCrcFX3a6d1IuE vVrI0XcKQiKwVngem5XPEcvtAwFa85U4RUFZmYcqPYe7n0Yo7LoWwH9HI6/8Mziq yGIKgcPfY88FA8YM0DeSmkwQJ7WByKF4TzoChd6pK2NlwP1SFa2lMgrg4JhM9PAs 9d2ye1OkVvVV1BPnjhVFe8S0Ze8IeOy1jeKS4lUbpgIZn4WdbERQ3ORAPuhRxAdZ mn7/MbulenkQKd3vnEKmA8qK5p/h6E8jnCUCbasgAtsareZHgPmDd7NON3LmmAYG q0X8Rrk13i2h+gpGVJlT7D4Gx/n3gIEBbSKNmBIPjQmXH/sOQN/0XLls/Cock4Pm mjw3mIFLu/CQ1JNBdMQpY9zMpAHQzMX0qAfiJa0f/UfaN4k8A6uQAJWWskl48aBs xp/dz2nOVJcCwmbmkKsfied610QLC8yXwXGmh+TTPxpSXxkr0+o3r5m8S7sjkMJA Uuctv6UEKx6wqJum1G7UDcpkQVzSJOXvZ2TKzMhHirjfrUlg7Bfg31kQj0IfKicn VeLM3IBnrvl08u1Dpi9A62YSPtuQQZ+8XqcVfUB/0Wf+0uaV/Wp5as0ylPWMlpBK 9foWchAV8inhIVAMDbwQ =P6rB -----END PGP SIGNATURE-----
Current thread:
- CVE Request: zlib security issues found during audit Marcus Meissner (Dec 04)
- Re: CVE Request: zlib security issues found during audit cve-assign (Dec 05)