Home page logo
oss-sec logo
Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives


Latest Posts

Re: Vulnerability fixed in Quassel? Pierre Schweitzer (Oct 25)
Was a CVE ID assigned for the Konversation bug?

In any case, it's way worse than my understanding (thanks for the

So I believe a CVE should be assigned to that commit for Quassel. Do
we need the project owners to ask for it? Or MITRE can just assign it?


cve request: libbfd? Michal Zalewski (Oct 25)

You may want to assign something to:


This is slightly complicated by the fact that libbfd is just bad in
general and there likely are dozens of individual bugs, but the
write-to-arbitrary-pointer issues with ELF section parsing in elf.c
sort of stand out.


Re: strings / libbfd crasher Tavis Ormandy (Oct 25)
Yeah, `strings -a` is closer to what people expect by default - most
people find the section parsing a surprise. I found this one 10 years
ago https://bugs.gentoo.org/show_bug.cgi?id=91398, and suggested at
the time that maybe `strings -a` should be the default mode, enabling
bfd parsing only when requested.

This was dismissed by upstream, but I still think it's a good idea...


Re: strings / libbfd crasher mancha (Oct 24)

Unfortunately, the buggy code can be arrived at via multiple entry
points (e.g. objdump -p or nm on stringme, stringmetoo, and
strings-bfd-badfree). Those are also commonly used on untrusted binaries
(e.g. forensics). Fixing the core issues seems the way to go.


Re: strings / libbfd crasher Michal Zalewski (Oct 24)

Tavis mentioned to me some time ago that he made that suggestion
upstream when he bumped into other issues many years ago; he can
probably comment on how that went, but more generally, distro vendors
have some latitude to apply non-upstream patches to change the default
behavior... maybe that's the way to go.


Re: strings / libbfd crasher Hanno Böck (Oct 24)
I've checked the upstream patch they pointed me to:

Unfortunately this mixes in another change that is a revert, so it
doesn't apply cleanly to the current release (2.24), if anyone needs it
I've re-diffed it:

This fixes the original stringme and strinmetoo from mancha, but not...

Re: Duplicate Request: CVE-2013-4444 as a duplicate of CVE-2013-2185 cve-assign (Oct 24)
In cases of disputes about the validity of a vulnerability with
respect to a specific threat model, it's sometimes possible to have
multiple CVEs.

https://bugzilla.redhat.com/CVE-2013-2185 says:

This suggests a completely general case in which the serialized
instance could come from an arbitrary untrusted source in an
application-specific way. Apparently, from the perspective of the
Apache Tomcat maintainer, they are not interested in...

Re: strings / libbfd crasher Michal Zalewski (Oct 24)
Filed this as:

Re: strings / libbfd crasher Michal Zalewski (Oct 24)
I do have a bunch more that seem exploitable, though - for example:

http://lcamtuf.coredump.cx/strings-bfd-badfree - does this repro for
people (I tried with binutils 2.24)?

I think that given the expectations people have around what strings
does and whether it's safe to run on untrusted binaries, I'd seriously
question the wisdom of making it use libbfd, at least by default;
perhaps distros want to consider non-upstream patches that...

kvm issues Petr Matousek (Oct 24)

a number of kvm issues were disclosed today, here's the list.




New security advisories released for Apache CXF Colm O hEigeartaigh (Oct 24)
CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of
Service (DoS) attack

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.0.0-milestone1,
2.7.8 and 2.6.11.


An Apache CXF JAX-RS service can process SAML tokens received in the
authorization header of a request via the SamlHeaderInHandler. However it is
possible to...

CVE-2014-8369 - Linux kernel iommu.c excessive unpinning cve-assign (Oct 24)
CVE-2014-8369 has been assigned to this virt/kvm/iommu.c issue:


(This vulnerability exists because of an incorrect fix for

Re: strings / libbfd crasher Hanno Böck (Oct 24)
I've now put this in upstream's bugtracker:

Hope noone else has already done this.

Re: strings / libbfd crasher mancha (Oct 24)
To clarify...

While my sample input to strings (or objdump, etc.) also gets bytes to
wraparound, the nature of the crash is different that that of Michal's
sample. My input triggers a NULL pointer dereference and further
demonstrates the need to tighten up the codebase.

Re: Vulnerability fixed in Quassel? Bas Pape (Oct 24)
Sorry, forgot to actually paste the link. The konversation bug can be found at

More Lists

Dozens of other network security lists are archived at SecLists.Org.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]