Re: CVE Request: zlib security issues found during audit

[<cve-assign () mitre org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib
> https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
> https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit

> had some findings (1 medium, 4 low)

Here are 4 CVE IDs; it is not a one-to-one mapping.

> Finding 1: Incompatible declarations for external linkage function deflate (Medium)
> Fix: https://github.com/madler/zlib/commit/3fb251b363866417122fe54a158a1ac5a7837101

We feel that the scope of CVE should, ideally, omit unexploitable
code-quality issues. The PDF report has a number of comments about
Finding 1; however, one comment is "current compilers process this
code without issues." A finding can be important to the practice of
software development without being important for vulnerability
management. For now, the answer is that there is no CVE ID.


> Finding 2: Accessing a buffer of char via a pointer to unsigned int (Low)
> UNRESOLVED:This issue remains under discussion

There is no CVE ID. The PDF report mentions, for example, "There are several
possible fixes ... Do nothing."


> Finding 3: Out-of-bounds pointer arithmetic in inftrees.c (Low)

> https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0

Use CVE-2016-9840.


> https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb

Use CVE-2016-9841.


> Finding 4: Undefined left shift of negative number (Low)
> Fix: https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958

Use CVE-2016-9842.


> Finding 5: Big-endian out-of-bounds pointer (Low)
> Fix: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811

Use CVE-2016-9843.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYReVZAAoJEHb/MwWLVhi22fMP/j6Pw7FkFDrKLjy/okWP/QoM
imxWROlUse9/xACgcA+9eMiGbkm54ntx20bpEWOAUA8+H1KW+bvCrcFX3a6d1IuE
vVrI0XcKQiKwVngem5XPEcvtAwFa85U4RUFZmYcqPYe7n0Yo7LoWwH9HI6/8Mziq
yGIKgcPfY88FA8YM0DeSmkwQJ7WByKF4TzoChd6pK2NlwP1SFa2lMgrg4JhM9PAs
9d2ye1OkVvVV1BPnjhVFe8S0Ze8IeOy1jeKS4lUbpgIZn4WdbERQ3ORAPuhRxAdZ
mn7/MbulenkQKd3vnEKmA8qK5p/h6E8jnCUCbasgAtsareZHgPmDd7NON3LmmAYG
q0X8Rrk13i2h+gpGVJlT7D4Gx/n3gIEBbSKNmBIPjQmXH/sOQN/0XLls/Cock4Pm
mjw3mIFLu/CQ1JNBdMQpY9zMpAHQzMX0qAfiJa0f/UfaN4k8A6uQAJWWskl48aBs
xp/dz2nOVJcCwmbmkKsfied610QLC8yXwXGmh+TTPxpSXxkr0+o3r5m8S7sjkMJA
Uuctv6UEKx6wqJum1G7UDcpkQVzSJOXvZ2TKzMhHirjfrUlg7Bfg31kQj0IfKicn
VeLM3IBnrvl08u1Dpi9A62YSPtuQQZ+8XqcVfUB/0Wf+0uaV/Wp5as0ylPWMlpBK
9foWchAV8inhIVAMDbwQ
=P6rB
-----END PGP SIGNATURE-----